Security and Compliance

How can we improve Windows Azure security and compliance?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  1. Add a solution for Office 365 Audit logs

    The O365 Solution gives a lot of useful data, but does not provide all details that are available in the O365 Audit logs, for example file sharing is logged in OMS, but does not include the detail of who the file was shared with

    3 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Flag idea as inappropriate…  ·  Admin →
    • Key Vault: Manage a wider scope of credentials

      We have an application that gathers data from a wide range of external data source each with their own credentials including simple username/passwords. Key vault does not have sufficient fields to document these (e.g. api urls) fully. It seems that Key Vault was designed for Azure centric secrets only.

      2 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        0 comments  ·  Flag idea as inappropriate…  ·  Admin →
      • PCI DSS 2017

        Renew PCI DSS certification for 2017 - 2018.

        3 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          0 comments  ·  Flag idea as inappropriate…  ·  Admin →
        • CIS compliance check on Azure

          Would be great if Azure would create the CIS benchmarks for Azure and in images as long as the checks to make sure compliance is reached.

          Also these checks cloud be integrated in security center or available via API.

          https://benchmarks.cisecurity.org/downloads/latest/

          41 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            1 comment  ·  Flag idea as inappropriate…  ·  Admin →
          • Key vault: Get latest version of certificate in template

            In templates it requires a certificate url to be set for cert install. It would be great if we wouldn't have to give explicitely the version hash, but to have the latest certificate with the /latest version or when no version hash is defined it would be the latest default.

            7 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              0 comments  ·  Flag idea as inappropriate…  ·  Admin →
            • Key Vault: add signing input (hash) to audit logs

              Currently Key Vault log does not contain the hash which was signed meanwhile a signing operation.

              Adding the hash to log could make the audit log cryptographically auditable which would be a great improvement over the current situation.

              Here is our use-case and my rationale why adding this information is important:

              If you are running an online service which needs to sign data, one of your options is to sign directly on that machine with a private key. The problem with this solution is if your server is hacked then the hacker can steal the private key and sign anything…

              11 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                0 comments  ·  Flag idea as inappropriate…  ·  Admin →
              • shipping conainer public voter drop box.

                Utilize full size security shipping containers w/submission slot located @ every local police station to eliminate any tampering.

                1 vote
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                • Provide reference architectures for complying with PCI and other regulations

                  Clients who are considering AWS vs. Azure, and have compliance regulations to deal with, appreciate AWS's reference architectures. See here: https://aws.amazon.com/about-aws/whats-new/2016/05/pci-dss-standardized-architecture-on-the-aws-cloud-quick-start-reference-deployment/

                  2 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
                  • Allow me to run ISO 27001 service using all Microsoft PaaS, make it easy to tell which ones I cannot use

                    Currently, the trust center says many PaaS are ISO 27001. Microsoft also has a document that recommends encryption for all services on Azure: https://azure.microsoft.com/en-us/blog/13-effective-security-controls-for-iso-27001-compliance/

                    Yet, HDInsight, and other services, do not offer encryption, which violates the 13 effective security controls.

                    It would be helpful if Microsoft could provide guidance on how to deal with this.

                    3 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                    • Implement Possibility to customize Azure Portal connection automatic log-out for (eg) PCI certification

                      Hello Azure Portal Team.
                      We are PCI-certified and our QSA has been insisting us to set a drastically short unactivity logout time value on connections to the Azure Portal (between 15 and 30mn) on account of PCI Req 8.1. 8.
                      The Portal controls the ACL rules setting and this raises a major security breach with the portal staying alive for way>10 hours.
                      Contact with Azure Support ticket 116053014224862 has evidenced such a capability does not currently exist, and Support is not particularly aware of the current implementation situation (whether such an automatic log-out exists and which criteria control it.

                      Practical…

                      1 vote
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                      • Add Timestamp Service to keyvault

                        Most HSMs provide the ablity to timesamp according to RFC standards. Please expose this ability via the Azure API.

                        12 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          1 comment  ·  Flag idea as inappropriate…  ·  Admin →
                        • Limit Endpoints where you can manage Azure from

                          I would love to have a possibility to control what endpoints you are allowed to manage your Azure Services from. Like an ACL, management can be done from these endpoints (ip addresses) and from no place else. Today we have to use ADFS and special domains in the UPN to be able to resolve this. But it doesn't apply for all accounts.

                          So having that possibility would be great. Jump Servers has been used for many years in the on-prem world. And even if you use MFA there is no way to guarantee that the endpoint that you are managing…

                          5 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                          • PKI as a Azure Service

                            Certificate Services (ADCS/PKI/CA) should be offered as a service in Azure at least for infrastructure purpose such as machine certificates for MFM, Wi-Fi access and
                            for user web authentication e.g. to Azure itself. CA Private keys can be store in Azure Key Vault to be secured.
                            A hybrid client should be provided to support autoenrollment to Windows 7 and better clients to simulate a onprem Enterprise CA. The web interface should be in Azure and support other platforms than Windows.
                            I am willing to spend time and effort to be part of a user group, think tank, beta test group…

                            170 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              4 comments  ·  Flag idea as inappropriate…  ·  Admin →
                            • Dashbord security administrator where we can find all resources avaliably via RBAC for some AD User

                              RBAC is cool, but managing rights in huge enterprise environment is too hard.
                              We need a dashboard, where security administrator will can input user name from AzureAD and on a dashboard will be all subscriptions, resource groups and resources with effective user permissions

                              3 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                              • Provide Better Developer Integration Experience for Azure Key Vault / Reduce Surface Area for Attacks

                                Currently Azure developers have to wrestle with how to protect the data that they would like to protect and retrieve with Azure Key Vault. Developers work in source control, and the data that they have to provide in app.config can be considered secret and/or sensitive. App.config can be checked into source control and can even be available as an open source project in GitHub for the whole world to see.

                                Even if a developer chooses to use a client ID and a certificate, the developer still has to provide a REST-based URL within the code base as well, and this…

                                19 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
                                • Allow more finegrained control of baseline rules in security center.

                                  At the moment you have to either disable or enable all the Baseline Rules.

                                  This is bad. There are certain rules that a base installation with some services trigger. A good example is CCE-10274-9, this is trigger with a basic installation of ASP.NET - because all the ASP.NET accounts get added, which the baseline rule assumes to be a problem.

                                  15 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                  • 1 vote
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Enable notification of Security Support Team without requiring Support Plan

                                      Azure support recently helped us address an issue we believe related to a series of malicious HTTP requests. Support suggested that we notify the Security Support Team in a new ticket - a good idea, however we found out that a paid support plan is required to do this.

                                      In this case we're not requesting assistance, only attempting to make a notification which could be used to improve security in general.

                                      It would be beneficial to the Azure platform in general if the Security Support Team could be notified without requiring a paid plan.

                                      1 vote
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                      • List the features of Azure that are FIPS 140-2 compliant. Currently, the Trust Center does not list them.

                                        Specifically, in this case we need to know if Azure SQL Database is FIPS 140-2 compliant, but having all of the features that are compliant listed would be very helpful.

                                        1 vote
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                        • ECC support for Azure Key Vault

                                          Give Azure Key Vault the option to perform Encrypt/Decrypt/Sign/Verify functions using ECC keypairs instead of using RSA keypairs.

                                          This allows Azure Key Vault to create digital signatures which are far smaller to transmit and faster to verify than their RSA counterparts. This is an extremely useful function for many scenarios, such as deferring to Azure Key Vault for signing (and potentially verifying) JWT tokens for use as API access tokens.

                                          61 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            5 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1
                                          • Don't see your idea?

                                          Security and Compliance

                                          Feedback and Knowledge Base