Feedback by UserVoice

Office 365 Security & Compliance

We have partnered with UserVoice, a third-party service and your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy. Please do not send any novel or patentable ideas, copyrighted materials, samples or demos for which you do not want to grant a license to Microsoft.

Welcome to the Security (Protection) & Compliance UserVoice forum. We’re happy you’re here! If you have suggestions or ideas on how to improve Security or Compliance related features in O365, we’d love to hear them!

How it works
◾Check out the ideas others have suggested and vote on your favorites
◾If you have a suggestion that’s not listed yet, submit your own — 25 words or less, please
◾Include one suggestion per post

Thanks for joining our community and helping improve these features in Office 365!

Need Tech Support? Please see the O365 Community for the product or feature you are having issues with, or open a support ticket through your Office 365 administrator portal.

How can we improve compliance or protect your users better in Office 365?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Change Exchange Online recipient limit

    Need to change Exchange online Recipient Limits. The default value is 500 and can't be modified.
    In this case, users are able to send bulk\Spam messages by selecting entire global address list.

    959 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      73 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for the feedback. Most of the comments here reflect a desire to be able to LOWER the recipient limit for a specific user. This is something we will consider as priorities allow. If you’re voting or commenting — we would be curious if this is driven more by account compromises or just user behavior (e.g., don’t have permissions to send to the DL, so the user just expands the DL)?

      For issues with compromised accounts, we want you to be aware that we take this issue seriously and have been working on that problem from many angles. That said, we believe that limiting the number of recipients per email will not stop or even slow the bad guys significantly. Instead, we encourage you to visit https://securescore.office.com/ and implement best practices to protect your organization.

      For any comments regarding other issues with limits or throttling (e.g., increasing a limit),…

    • Implement Sender Rewriting Scheme (SRS) to Resolve Forwarding Issues

      Forwarding in SMTP is fundamentally flawed unless you implement SRS.

      http://www.openspf.org/SRS

      If you maintain the Return-Path of the originating message while forwarding you effectively spoof the originating domain.

      If you modify the Return-Path to be the address of the account that forwarded a message you break the Return-Path chain and delivery issues will result in the forwarded message Delivery Status Notification (DSN) being delivered to the forwarding user and not the original sender.

      SRS resolves this by modifying the Return-Path in a way that doesn't spoof the originating domain but still allows DSNs to be sent to the original sender.

      589 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        28 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

        Added to the roadmap (https://products.office.com/en-us/business/office-365-roadmap) for tracking. As mentioned earlier, we’re also looking very seriously at Authenticated Received Chain, which is in draft, but has good momentum for adoption. We hope to report back soon on that as well.

        If you’re interested in signing your tenant up early to help us test this out, be sure to give us your email address so you can receive an invitation when we’re ready!

      • Phishing attacks using Office 365 compromised Accounts/ ATP safe links not working

        Hello Microsoft ATP Team,

        This is to bring to your notice that spammers/phishers have started targeting Office 365 Tenants which creates a mail loop between Office 365 hosted domains and these emails are getting circulated through which accounts gets compromised. We had a lot of incidences happening in our environment, As these emails are getting generated from the actual account hosted in Office 365 the email are considered to be safe and lands in users Inbox. We have ATP safe links policy in place however its not performing the job as expected. ATP is a great feature but we request…

        512 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          24 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
        • Improve message tracing in Exchange online

          We have had a lot of issues with spam, whether its cryptovirus emails getting through, or good emails getting improperly blocked. Because of this, we need good message tracing (to find the emails), which we do not feel we have with exchange online. We would like to make the following suggestions:

          1. Need to be able to trace further than 7 days back without a 4 hour wait per trace. Our previous message tracing system could go back the entire year nearly instantly, but we need at least 30 days without the 4 hour wait per trace. This was pitched…

          392 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            16 comments  ·  Message Trace  ·  Flag idea as inappropriate…  ·  Admin →

            Thank you for taking the time to submit this feedback. Since there are multiple pieces and layers of feedback in this single post, it makes it more difficult than many to address. First, let us share a little about what we’ve been doing. Since this post was made, we have prioritized performance and reliability improvements for both Message Trace (inside 7 days) and Historical Search (typically outside of 7 days). We’ve added details to Message Trace that weren’t there before, decreasing the need to run Historical Searches inside of 7 days. For Historical Search, we have improved the results to be more clear for those who are not familiar with the Exchange Message Tracking log format. Additionally, while we get the total value of Message Trace, we’ve also prioritized reducing the constant need to search & destroy. We’ve made tremendous strides in effectiveness, even as the bad guys got more…

          • Allow to see private emails in shared mailboxes in outlook (in OWA you can see them)

            Short:

            On shared mailboxes in office 365 emails that are flagged by the sender as private are hidden. In OWA they are visible.

            Long:

            Users having full access to the shared mailbox do not see emails sent with a private flag - and they do not get informed about it. The emails are just silently hidden by outlook without any further notice. Quite stupid, for a shared mailbox (e.g. incoming orders!)

            We discovered that by coincidence: Our users were concerned because the number of unread emails was increasing - although there were no unread emails visible for them.

            If they…

            377 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              28 comments  ·  Flag idea as inappropriate…  ·  Admin →
            • allow quarantined emails to be deleted from the quarantine list for clarity

              ability to delete emails in the quarantined queue that were reviewed and are irrelevant . this will make it easier to check the queue over time instead of waiting for the messages to expire.

              364 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                22 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
              • Make sure that Exchange Online mailboxes are enabled for auditing

                The big problem with mailbox auditing – for both Exchange on-premises and Exchange Online – is that you must enable it for mailboxes to start recording audit events. If you do not enable auditing for a mailbox, Exchange assumes that you don’t care about what’s going on and captures nothing. When the time comes to search the Office 365 audit log, you get a big fat blank. Microsoft should either enable all EXO mailboxes for auditing or allow tenants to update mailbox plans to ensure that new mailboxes are enabled upon creation.

                362 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  in the plans  ·  15 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
                • Add ability to deny EWS and MAPI clients using Basic Authentication, with Client Access Rules for Exchange Online

                  Currently, MFA for Azure AD / O365 is useless regarding protection of mailboxes in Exchange Online, as EWS and MAPI clients can still connect to mailboxes using Basic Authentication, even with Conditional Access rules in place to require MFA, and there's no way of denying this server-side on EXO.

                  The newly-released Client Access Rules feature promises this functionality in its documentation (see https://technet.microsoft.com/library/mt842508.aspx and https://technet.microsoft.com/en-us/library/dn913650(v=exchg.160).aspx), but unfortunately the functionality is crippled. You can only make rules in the following combinations (info from EXO Engineering team):

                  OutlookWebApp: BasicAuthentication, AdfsAuthentication
                  ExchangeAdminCenter: BasicAuthentication, AdfsAuthentication
                  RemotePowerShell: BasicAuthentication, NonBasicAuthentication
                  ExchangeActiveSync: BasicAuthentication, OAuthAuthentication, CertificateBasedAuthentication
                  IMAP4/POP3/OfflineAddressBook/PowerShellWebServices/ExchangeWebServices/REST:…

                  358 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    9 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →

                    Thanks for taking the time to provide this feedback. We’ve updated the TechNet documentation (https://technet.microsoft.com/library/mt842508(v=exchg.150).aspx) to clear up confusion around which authentication type and protocol combinations are supported in CARs. Expanding support for more combinations could prevent bad actors with valid credentials from accessing mailbox content, but it wouldn’t help with scenarios like password spray attacks or malicious lockout attempts because CARs are evaluated post-authentication. There’s work underway on a solution that covers a broader array of basic authentication scenarios – we’ll share more details as soon as possible. In the interim, this blogpost (https://cloudblogs.microsoft.com/enterprisemobility/2018/03/05/azure-ad-and-adfs-best-practices-defending-against-password-spray-attacks/) outlines the recommended approach for forcing multi-factor authentication when using AAD and ADFS.

                  • End User Spam Notifacation - Frequency

                    Currently we can only have 1 email sent per day notifying the user they have spam in quarantine.

                    The email is usually sent just after midnight so if the user does not check their quarantine it could be a full 24 hours until the use is notified that they have spam to release.

                    Could I suggest that at least 3 times per day this email can be sent?

                    Cheers

                    352 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      42 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

                      Thank you for your feedback. We have a clarifying question that would help us to prioritize this better: If you need notices 3 (or more) times per day, why use quarantine at all? Why not send the mails to a junk folder which the user can check on demand? If you want a notice each time any message gets quarantined, again, what prevents just sending the mails to a junk folder instead?

                    • Office 365 mail queue viewer and control

                      It will be better if Admins get the option to view the mail queue in Office 365. We will have more control on the email flow if this option is enabled.

                      321 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        23 comments  ·  Flag idea as inappropriate…  ·  Admin →

                        Thank you for your feedback.

                        Today you can see messages which are “pending” in a queue through Message Trace feature. In the Mail flow Dashboard, you can see messages queued for more than an hour. We’ve also created alerting for this condition. Can you tell us what other things you need and what the scenarios look like / how commonly you need to perform the task?

                        This would help us when evaluating this item further.

                      • Allow Settings for Message Expiration Timeout Interval and NDR

                        For some error codes related to sending mails, the senders may receive the NDR immediately. However, for some other error codes, the mail server marks the undeliverable messages as a temporary error and the senders doesn't immediately receive an NDR. Instead, Exchange Online repeatedly tries to deliver the message over two days. Only after two days of unsuccessful delivery attempts does the sender receive this NDR.

                        For some time critical businesses this is not acceptable. The user has to be informed very quickly (<6 hours) that his Mail was not delivered by now. Then the user can phone the recipient…

                        316 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          37 comments  ·  Flag idea as inappropriate…  ·  Admin →

                          Keep the feedback coming. We appreciate continued details as to which option(s) would work best. The trick is balancing notifying users (who usually can’t take action, but certainly want to know when messages are delayed) vs. notifying the admins (who may or may not be able to take action but may not want such a quick notification — for example if they are responsible for a server that is down for planned maintenance or a DNS change which takes time to propagate). We would certainly like for this to be somewhat configurable in the future, but also are considering alternatives to the current 48 hours.

                        • Active Directory AccountExpires attribute does not stop login to Office 365

                          We discovered a security flaw in Office 365 whereby if you set an account in Active Directory to expired, the user can still login to Office 365.

                          We believe this is a major security flaw as many customers will believe if the user can no longer log in to the Active Directory domain then they must also not be able to login to Office 365, however this is not the case.

                          Setting an account with an expiry date should stop the account from logging into Office 365 as well.

                          259 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            12 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
                          • Allow DLP rule exception for encrypted outbounds

                            DLP rules do not allow an exception of the predicate "MessageTypeMatches" with the notify sender action. Doing so results in the error:
                            One of the conditions you specified can't be used for rules where you want to notify the sender. Error details: The NotifySender action isn't compatible with 'MessageTypeMatches' predicate.
                            I would like to trigger a rule on outbound matches unless the message is encrypted in order to enforce our internal policy compliance.

                            248 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              12 comments  ·  DLP & Transport Rules  ·  Flag idea as inappropriate…  ·  Admin →
                            • Audit license assignement by subscription / Product

                              We should be able to see with subscription / product was assigned or removed to an office 365 Account. In the Actual audit log, there is only few information that is not relevant at all! We must be able to know who and when a specific office 365 workload is assign to a User, example (office 365 pro plus, or Skype for business)

                              231 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                9 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
                              • OneDrive for Business unable to perform delete folder directly caused by Retention Policy

                                Dear Microsoft,

                                OneDrive for Business is one of the useful tools for cloud storage whereby end user should be able to folders (even got files inside) easily even being applied with retention policy.

                                Retention policy is suppose used on backend which not suppose to affect on OneDrive for Business usage. We are have 500 users getting impact on this. (and i assume all users having this issue as Microsoft support tested having this issue - "behaviour")

                                I was informed by Microsoft that this is by default preservation policy design behaviour, which I think this is not consider design behavior anymore…

                                211 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  11 comments  ·  eDiscovery  ·  Flag idea as inappropriate…  ·  Admin →
                                • Re-enable the Exchange Online Activities API (Magic Unicorn)

                                  Please re-enable the Exchange Online Activities API that allows for forensic investigation of Business E-mail Compromise incidents.

                                  Business E-mail Compromise is a very serious and active threat for all organizations. By default, Office 365 provides very little auditing capability to investigate this type of incident. Exchange Online mailbox auditing must be proactively enabled by the customer before the breach if they wish to get this level of auditing data.

                                  On June 18, 2018 it was publicly discovered that Microsoft does maintain this audit data even without the customer enabling it. It was available to all Office 365 customers via this…

                                  190 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    0 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Advanced Threat Protection (ATP) Whilelist - add wildcard support and/or extend the 320 character limit

                                    Advanced Threat Protection (ATP) Safe Links whitelist currently has a 320 character limit, and does not allow wildecards.

                                    Please either turn on wildcards for the urls or expand the 320 character limit to something much larger.

                                    189 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      12 comments  ·  Malware  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Office 365 Message Encryption: User Driven Outlook Plugin

                                      Please provide an Outlook Plugin for users to initiate and encrypted email. I know this is on the roadmap for OWA, but most users are still using Outlook 2010+. Provide a new button directly under the current Send button that says, "Send Encrypted".

                                      Our client base can't depend on users typing in **encrypt** and Exchange DLP rules for Encryption.

                                      187 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                      • Ability to add company logo images globally to all user signatures

                                        The ability to add a company logo or image to a signature as an admin globally for all users would be nice. Currently the suggested solution to append a disclaimer isn't ideal as it always posts the image to the very bottom of the email, not the signature. This doesn't work for a back and forth conversation thread since it starts stacking the image at the bottom.

                                        181 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          6 comments  ·  DLP & Transport Rules  ·  Flag idea as inappropriate…  ·  Admin →
                                        • DLP needs to be able to read OCR

                                          At the present time DLP is not able to read OCR documents, namely documents scanned to PDF. This is a GIANT, GAPING hole in terms of security. I have clients who have 100's of thousands of documents that contain sensitive information saved in OneDrive but no DLP policies can be applied to these documents, since DLP is not OCR aware. Please correct ASAP! Thanks!

                                          178 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            3 comments  ·  DLP & Transport Rules  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4 5 66 67
                                          • Don't see your idea?

                                          Feedback and Knowledge Base