Security and Compliance

How can we improve Windows Azure security and compliance?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  1. HITRUST certified Azure Functions

    Please cover Azure Functions in your HITRUST certifications. Insurance Industry is increasingly requiring this compliance and we are unable to use these features due to those requirements. Please help! Insurance industry is huge and would benefit greatly from this feature.

    Thanks!

    3 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Flag idea as inappropriate…  ·  Admin →
    • Key Vault: Support ACME protocol (Let's Encrypt)

      Key Vault currently supports automated management of PKI (TLS) certs via "approved" CAs. Please add support for the ACME protocol so that Key Vault can manage certs issued by Let's Encrypt. And/or an Azure-based ACME-compliant Microsoft CA.

      In other words: The days of having to pay for certs. are over. Please support free certs.

      Thanks!

      8 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        0 comments  ·  Flag idea as inappropriate…  ·  Admin →
      • Identity Protection Blade Password Reset tool doesn't work for password writeback

        Identity Protection Blade Password Reset tool doesn't work for password writeback. Please make it possible to set the password length and complexity of passwords generated by the password generator in the identity protection management blade in Azure. We have password writeback enabled, and the built-in tool for password generation in the blade generates a password that doesn't meet our complexity requirements. It's very inconvenient to have to the leave the Identity Protection blade and would be fantastic if we could do it from the identity protection blade. this is really important for leaked credentials of students, who we can't yet…

        1 vote
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          0 comments  ·  Flag idea as inappropriate…  ·  Admin →
        • Consistent and easy way to assign/remove access control policies in AD FS

          In AD FS 2016, you can assign access control policies for relying parties via AD FS management console. However, you have to use powershell to un-assign. We need a consistent and easy way to do this for both assign and un-assign using UI.

          1 vote
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            0 comments  ·  Flag idea as inappropriate…  ·  Admin →
          • Additional local administrators on Azure AD joined devices

            In Azure there is a list that can be created for Additional local administrators on Azure AD joined devices. However, after creating a list and when I go back to modify it, it remove the previous user list and I must recreate the list from scratch each time I need to either add/remove a user. This is definitely a design flaw. Also We should be able to view the current list, not "User and xx others"

            Ideally we should be able to grant local admin rights directly to the device that is Azure Joined instead of a all or nothing…

            3 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              1 comment  ·  Flag idea as inappropriate…  ·  Admin →
            • Remember Multi-Factor Authentication for devices that users trust for the On-Premise MFA Server

              We have users that access company resources externally using our on premise MFA Server. Can we duplicate the feature: "Remember Multi-Factor Authentication for remembered devices and browsers" that is included in the Azure Multi-Factor Authentication"?

              We like to have this same feature that is not only found in Azure, but also in other areas including Online banking, credit card account access and so on.

              1 vote
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                0 comments  ·  Flag idea as inappropriate…  ·  Admin →
              • Conditional Access MFA converted to global MFA

                We are using Azure Cloud MFA by way of Azure Conditional Access Policies today, however we wish to move to Azure MFA "Global" where we just enable MFA for the user regardless of other policies. However, to do so requires the user to start over with MFA and reset all of their options. Please provide a method for us to move from Conditional Access based MFA to Global MFA.

                3 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                • Add a solution for Office 365 Audit logs

                  The O365 Solution gives a lot of useful data, but does not provide all details that are available in the O365 Audit logs, for example file sharing is logged in OMS, but does not include the detail of who the file was shared with

                  3 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                  • Key Vault: Manage a wider scope of credentials

                    We have an application that gathers data from a wide range of external data source each with their own credentials including simple username/passwords. Key vault does not have sufficient fields to document these (e.g. api urls) fully. It seems that Key Vault was designed for Azure centric secrets only.

                    2 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                    • PCI DSS 2017

                      Renew PCI DSS certification for 2017 - 2018.

                      6 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                      • CIS compliance check on Azure

                        Would be great if Azure would create the CIS benchmarks for Azure and in images as long as the checks to make sure compliance is reached.

                        Also these checks cloud be integrated in security center or available via API.

                        https://benchmarks.cisecurity.org/downloads/latest/

                        50 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          2 comments  ·  Flag idea as inappropriate…  ·  Admin →
                        • Key vault: Get latest version of certificate in template

                          In templates it requires a certificate url to be set for cert install. It would be great if we wouldn't have to give explicitely the version hash, but to have the latest certificate with the /latest version or when no version hash is defined it would be the latest default.

                          9 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                          • Key Vault: add signing input (hash) to audit logs

                            Currently Key Vault log does not contain the hash which was signed meanwhile a signing operation.

                            Adding the hash to log could make the audit log cryptographically auditable which would be a great improvement over the current situation.

                            Here is our use-case and my rationale why adding this information is important:

                            If you are running an online service which needs to sign data, one of your options is to sign directly on that machine with a private key. The problem with this solution is if your server is hacked then the hacker can steal the private key and sign anything…

                            11 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                            • shipping conainer public voter drop box.

                              Utilize full size security shipping containers w/submission slot located @ every local police station to eliminate any tampering.

                              1 vote
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                              • Provide reference architectures for complying with PCI and other regulations

                                Clients who are considering AWS vs. Azure, and have compliance regulations to deal with, appreciate AWS's reference architectures. See here: https://aws.amazon.com/about-aws/whats-new/2016/05/pci-dss-standardized-architecture-on-the-aws-cloud-quick-start-reference-deployment/

                                2 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  2 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                • Allow me to run ISO 27001 service using all Microsoft PaaS, make it easy to tell which ones I cannot use

                                  Currently, the trust center says many PaaS are ISO 27001. Microsoft also has a document that recommends encryption for all services on Azure: https://azure.microsoft.com/en-us/blog/13-effective-security-controls-for-iso-27001-compliance/

                                  Yet, HDInsight, and other services, do not offer encryption, which violates the 13 effective security controls.

                                  It would be helpful if Microsoft could provide guidance on how to deal with this.

                                  3 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Implement Possibility to customize Azure Portal connection automatic log-out for (eg) PCI certification

                                    Hello Azure Portal Team.
                                    We are PCI-certified and our QSA has been insisting us to set a drastically short unactivity logout time value on connections to the Azure Portal (between 15 and 30mn) on account of PCI Req 8.1. 8.
                                    The Portal controls the ACL rules setting and this raises a major security breach with the portal staying alive for way>10 hours.
                                    Contact with Azure Support ticket 116053014224862 has evidenced such a capability does not currently exist, and Support is not particularly aware of the current implementation situation (whether such an automatic log-out exists and which criteria control it.

                                    Practical…

                                    1 vote
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Add Timestamp Service to keyvault

                                      Most HSMs provide the ablity to timesamp according to RFC standards. Please expose this ability via the Azure API.

                                      15 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        1 comment  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Limit Endpoints where you can manage Azure from

                                        I would love to have a possibility to control what endpoints you are allowed to manage your Azure Services from. Like an ACL, management can be done from these endpoints (ip addresses) and from no place else. Today we have to use ADFS and special domains in the UPN to be able to resolve this. But it doesn't apply for all accounts.

                                        So having that possibility would be great. Jump Servers has been used for many years in the on-prem world. And even if you use MFA there is no way to guarantee that the endpoint that you are managing…

                                        5 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                        • PKI as a Azure Service

                                          Certificate Services (ADCS/PKI/CA) should be offered as a service in Azure at least for infrastructure purpose such as machine certificates for MFM, Wi-Fi access and
                                          for user web authentication e.g. to Azure itself. CA Private keys can be store in Azure Key Vault to be secured.
                                          A hybrid client should be provided to support autoenrollment to Windows 7 and better clients to simulate a onprem Enterprise CA. The web interface should be in Azure and support other platforms than Windows.
                                          I am willing to spend time and effort to be part of a user group, think tank, beta test group…

                                          225 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            4 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3
                                          • Don't see your idea?

                                          Security and Compliance

                                          Feedback and Knowledge Base