Office 365 Security & Compliance
We have partnered with UserVoice, a third-party service and your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy. Please do not send any novel or patentable ideas, copyrighted materials, samples or demos for which you do not want to grant a license to Microsoft.
Welcome to the Security (Protection) & Compliance UserVoice forum. We’re happy you’re here! If you have suggestions or ideas on how to improve Security or Compliance related features in O365, we’d love to hear them!
How it works
◾Check out the ideas others have suggested and vote on your favorites
◾If you have a suggestion that’s not listed yet, submit your own — 25 words or less, please
◾Include one suggestion per post
Thanks for joining our community and helping improve these features in Office 365!
Need Tech Support? Please see the O365 Community for the product or feature you are having issues with, or open a support ticket through your Office 365 administrator portal.
-
Block logins from other countries
It would improve security if we can restrict O365 logins to a specific geographic region. Or exclude specific countries if we identify major hacking attempts from those countries.
3,725 votesAzure Active Directory Conditional Access has functionality for “Countries/Regions” – see https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
That said, the most effective protection you can have against password spray attacks is to enable MFA and disable basic authentication. If you cannot do this for your entire organization, then blocking user access to legacy protocols like POP, EWS, IMAP and SMTP is another step you can take. Exchange Online Client Access Rules can help you to further customize (https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules). For additional recommendations, please see Office 365 Secure Score.
That said, please know that we are listening to feedback and working on solutions to help make Office 365 users more secure. Thank you for the feedback.
-
DMARC Aggregate Reports from O365 Domains
Ability for Office 365 to send DMARC Aggregate reports when set in a monitoring policy to see which aouthorised\unauthorised senders are using my domain suffix... just like other vendors are already doing.
3,709 votesThis is work we are planning to do although there is no ETA at this time.
-
DNSSEC support in Office 365
Please add DNSSEC support for managed domains in Office 365 business (enterprise) plans
2,120 votesWork has begun on adding support for DNSSEC in Office 365 for some services and products. Different services and products will have different plans given the architecture of the Office 365 service.
For Exchange Online, commitments for support have been made here: https://techcommunity.microsoft.com/t5/exchange-team-blog/support-of-dane-and-dnssec-in-office-365-exchange-online/ba-p/1275494
-
Allow endusers to access quarantine for shared mailboxes
Currently, only admins can view the quarantine for shared mailboxes. Users are automatically redirected to their own quarantine. I'd love for there to be a default for users who are delegates of a mailbox to have a way to get to the shared mailbox quarantine queue. If they are allowed to view the inbox/folders they should be allowed to control the spam.
2,070 votes -
Allow Partners to access the Security and Compliance Center
Please grant Partners the ability to access the Security and Compliance Center through the Partner Admin portal.
1,344 votesWe are working on adding this to the Partner Portal. In the meantime, the partner can access it by appending the customer’s domain to the URL, e.g., https://protection.office.com/contoso.com.
-
OneDrive for Business unable to perform delete folder directly caused by Retention Policy
Dear Microsoft,
OneDrive for Business is one of the useful tools for cloud storage whereby end user should be able to folders (even got files inside) easily even being applied with retention policy.
Retention policy is suppose used on backend which not suppose to affect on OneDrive for Business usage. We are have 500 users getting impact on this. (and i assume all users having this issue as Microsoft support tested having this issue - "behaviour")
I was informed by Microsoft that this is by default preservation policy design behaviour, which I think this is not consider design behavior anymore…
739 votesWorking on the design for this currently. Will update status as we make progress.
-
Active Directory AccountExpires attribute does not stop login to Office 365
We discovered a security flaw in Office 365 whereby if you set an account in Active Directory to expired, the user can still login to Office 365.
We believe this is a major security flaw as many customers will believe if the user can no longer log in to the Active Directory domain then they must also not be able to login to Office 365, however this is not the case.
Setting an account with an expiry date should stop the account from logging into Office 365 as well.
685 votes -
Suspicious Login Reports and Alerts
Microsoft needs to include FREE reporting and alerts to paying office 365 subscribers. Apparently the azure reports that would be useful to office 365 subscribers require a paid subscription (according to the 2 tickets I put in with azure support)
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-view-access-usage-reports.The office 365 audit log is a mess and doesn't give a clear picture of all suspicious activity for all users at a glance, e.g. logins from multiple geographies.
Ideally, admins would be able to get alerts based on suspicious activity. We've had several users accounts get hacked and we've had no idea. People were logging in from…
667 votes -
Phishing attacks using Office 365 compromised Accounts/ ATP safe links not working
Hello Microsoft ATP Team,
This is to bring to your notice that spammers/phishers have started targeting Office 365 Tenants which creates a mail loop between Office 365 hosted domains and these emails are getting circulated through which accounts gets compromised. We had a lot of incidences happening in our environment, As these emails are getting generated from the actual account hosted in Office 365 the email are considered to be safe and lands in users Inbox. We have ATP safe links policy in place however its not performing the job as expected. ATP is a great feature but we request…
622 votesATP does not consider mails from other Office 365 tenants, or even mailboxes inside of your tenant, as safe. The best way to put a stop to this is to follow the recommendations in SecureScore for your tenant; and report phishing mails to us promptly. Also, make sure that the sender is not allowed either by the tenant configuration or the user safelist.
-
Improve message tracing in Exchange online
We have had a lot of issues with spam, whether its cryptovirus emails getting through, or good emails getting improperly blocked. Because of this, we need good message tracing (to find the emails), which we do not feel we have with exchange online. We would like to make the following suggestions:
- Need to be able to trace further than 7 days back without a 4 hour wait per trace. Our previous message tracing system could go back the entire year nearly instantly, but we need at least 30 days without the 4 hour wait per trace. This was pitched as…
610 votesThank you for taking the time to submit this feedback. Since there are multiple pieces and layers of feedback in this single post, it makes it more difficult than many to address. First, let us share a little about what we’ve been doing. Since this post was made, we have prioritized performance and reliability improvements for both Message Trace (inside 7 days) and Historical Search (typically outside of 7 days). We’ve added details to Message Trace that weren’t there before, decreasing the need to run Historical Searches inside of 7 days. For Historical Search, we have improved the results to be more clear for those who are not familiar with the Exchange Message Tracking log format. Additionally, while we get the total value of Message Trace, we’ve also prioritized reducing the constant need to search & destroy. We’ve made tremendous strides in effectiveness, even as the bad guys got more…
-
Office 365 mail queue viewer and control
It will be better if Admins get the option to view the mail queue in Office 365. We will have more control on the email flow if this option is enabled.
556 votesThank you for your feedback.
Today you can see messages which are “pending” in a queue through Message Trace feature. In the Mail flow Dashboard, you can see messages queued for more than an hour. We’ve also created alerting for this condition. Can you tell us what other things you need and what the scenarios look like / how commonly you need to perform the task?
This would help us when evaluating this item further.
-
Allow Settings for Message Expiration Timeout Interval and NDR
For some error codes related to sending mails, the senders may receive the NDR immediately. However, for some other error codes, the mail server marks the undeliverable messages as a temporary error and the senders doesn't immediately receive an NDR. Instead, Exchange Online repeatedly tries to deliver the message over two days. Only after two days of unsuccessful delivery attempts does the sender receive this NDR.
For some time critical businesses this is not acceptable. The user has to be informed very quickly (<6 hours) that his Mail was not delivered by now. Then the user can phone the recipient…
513 votesToday, based on feedback, we’ve lowered the timeout to 24 hours. In the future, we are planning more improvements, although we do not have any dates or details to share at this time. Thank you for the continued feedback.
-
Make sure that Exchange Online mailboxes are enabled for auditing
The big problem with mailbox auditing – for both Exchange on-premises and Exchange Online – is that you must enable it for mailboxes to start recording audit events. If you do not enable auditing for a mailbox, Exchange assumes that you don’t care about what’s going on and captures nothing. When the time comes to search the Office 365 audit log, you get a big fat blank. Microsoft should either enable all EXO mailboxes for auditing or allow tenants to update mailbox plans to ensure that new mailboxes are enabled upon creation.
476 votes -
Add ability to deny EWS and MAPI clients using Basic Authentication, with Client Access Rules for Exchange Online
Currently, MFA for Azure AD / O365 is useless regarding protection of mailboxes in Exchange Online, as EWS and MAPI clients can still connect to mailboxes using Basic Authentication, even with Conditional Access rules in place to require MFA, and there's no way of denying this server-side on EXO.
The newly-released Client Access Rules feature promises this functionality in its documentation (see https://technet.microsoft.com/library/mt842508.aspx and https://technet.microsoft.com/en-us/library/dn913650(v=exchg.160).aspx), but unfortunately the functionality is crippled. You can only make rules in the following combinations (info from EXO Engineering team):
OutlookWebApp: BasicAuthentication, AdfsAuthentication
ExchangeAdminCenter: BasicAuthentication, AdfsAuthentication
RemotePowerShell: BasicAuthentication, NonBasicAuthentication
ExchangeActiveSync: BasicAuthentication, OAuthAuthentication, CertificateBasedAuthentication
IMAP4/POP3/OfflineAddressBook/PowerShellWebServices/ExchangeWebServices/REST:…403 votesThanks for taking the time to provide this feedback. We’ve updated the TechNet documentation (https://technet.microsoft.com/library/mt842508(v=exchg.150).aspx) to clear up confusion around which authentication type and protocol combinations are supported in CARs. Expanding support for more combinations could prevent bad actors with valid credentials from accessing mailbox content, but it wouldn’t help with scenarios like password spray attacks or malicious lockout attempts because CARs are evaluated post-authentication. There’s work underway on a solution that covers a broader array of basic authentication scenarios – we’ll share more details as soon as possible. In the interim, this blogpost (https://cloudblogs.microsoft.com/enterprisemobility/2018/03/05/azure-ad-and-adfs-best-practices-defending-against-password-spray-attacks/) outlines the recommended approach for forcing multi-factor authentication when using AAD and ADFS.
-
Allow alteration to the global Azure AD Password Policy (complexity, length, etc)
Force special characters in Azure AD password Policy
I would like the ability to force more complex passwords without the need for a Dirsynced server. The default password policy for the global profile in Azure AD is not strong enough, and I would like some better options for length, complexity and special character requirements.
401 votes -
Compliance admins should be able to delete labels marked as record
Under Classifications, a label created and marked as Record cannot be later changed or, more importantly, deleted by any administrator. As an admin can remove a document from bearing the status of record, they should therefore be able to delete a label with Record status. The combination of Record and Delete after 'x' years is very dangerous - not to mention a department may update their requirements in time.
378 votes -
Audit license assignement by subscription / Product
We should be able to see with subscription / product was assigned or removed to an office 365 Account. In the Actual audit log, there is only few information that is not relevant at all! We must be able to know who and when a specific office 365 workload is assign to a User, example (office 365 pro plus, or Skype for business)
363 votes -
Make it possible to search subject in Message trace
Can we have a feature in message trace of Admin center to allow us search email by their subjects
333 votes -
Re-enable the Exchange Online Activities API (Magic Unicorn)
Please re-enable the Exchange Online Activities API that allows for forensic investigation of Business E-mail Compromise incidents.
Business E-mail Compromise is a very serious and active threat for all organizations. By default, Office 365 provides very little auditing capability to investigate this type of incident. Exchange Online mailbox auditing must be proactively enabled by the customer before the breach if they wish to get this level of auditing data.
On June 18, 2018 it was publicly discovered that Microsoft does maintain this audit data even without the customer enabling it. It was available to all Office 365 customers via this…
327 votes -
Preservation Lock enable and disable with special permission or at least with Microsoft Support.
Preservation Lock can be set so easily that if you click on the policy on the right it will give you the option of on and Off resulting in a lock that even Support can not remove. Either provide a secure way of enabling disabling to the user or at least give it to Microsoft Support to do it on Client's behalf.
325 votesContact the data protection team via MSFT support for discussions about this particular scenario and what options are available for your organization.
- Don't see your idea?