Feedback by UserVoice

Office 365 Security & Compliance

We have partnered with UserVoice, a third-party service and your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy. Please do not send any novel or patentable ideas, copyrighted materials, samples or demos for which you do not want to grant a license to Microsoft.

Welcome to the Security (Protection) & Compliance UserVoice forum. We’re happy you’re here! If you have suggestions or ideas on how to improve Security or Compliance related features in O365, we’d love to hear them!

How it works
◾Check out the ideas others have suggested and vote on your favorites
◾If you have a suggestion that’s not listed yet, submit your own — 25 words or less, please
◾Include one suggestion per post

Thanks for joining our community and helping improve these features in Office 365!

Need Tech Support? Please see the O365 Community for the product or feature you are having issues with, or open a support ticket through your Office 365 administrator portal.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Block logins from other countries

    It would improve security if we can restrict O365 logins to a specific geographic region. Or exclude specific countries if we identify major hacking attempts from those countries.

    3,651 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    199 comments  ·  Flag idea as inappropriate…  ·  Admin →

    Azure Active Directory Conditional Access has functionality for “Countries/Regions” – see https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

    That said, the most effective protection you can have against password spray attacks is to enable MFA and disable basic authentication. If you cannot do this for your entire organization, then blocking user access to legacy protocols like POP, EWS, IMAP and SMTP is another step you can take. Exchange Online Client Access Rules can help you to further customize (https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules). For additional recommendations, please see Office 365 Secure Score.

    That said, please know that we are listening to feedback and working on solutions to help make Office 365 users more secure. Thank you for the feedback.

  2. DMARC Aggregate Reports from O365 Domains

    Ability for Office 365 to send DMARC Aggregate reports when set in a monitoring policy to see which aouthorised\unauthorised senders are using my domain suffix... just like other vendors are already doing.

    3,415 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    104 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  3. 2,091 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    102 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  4. Allow endusers to access quarantine for shared mailboxes

    Currently, only admins can view the quarantine for shared mailboxes. Users are automatically redirected to their own quarantine. I'd love for there to be a default for users who are delegates of a mailbox to have a way to get to the shared mailbox quarantine queue. If they are allowed to view the inbox/folders they should be allowed to control the spam.

    1,882 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    74 comments  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow Partners to access the Security and Compliance Center

    Please grant Partners the ability to access the Security and Compliance Center through the Partner Admin portal.

    1,112 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    66 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. OneDrive for Business unable to perform delete folder directly caused by Retention Policy

    Dear Microsoft,

    OneDrive for Business is one of the useful tools for cloud storage whereby end user should be able to folders (even got files inside) easily even being applied with retention policy.

    Retention policy is suppose used on backend which not suppose to affect on OneDrive for Business usage. We are have 500 users getting impact on this. (and i assume all users having this issue as Microsoft support tested having this issue - "behaviour")

    I was informed by Microsoft that this is by default preservation policy design behaviour, which I think this is not consider design behavior anymore…

    681 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
  7. Active Directory AccountExpires attribute does not stop login to Office 365

    We discovered a security flaw in Office 365 whereby if you set an account in Active Directory to expired, the user can still login to Office 365.

    We believe this is a major security flaw as many customers will believe if the user can no longer log in to the Active Directory domain then they must also not be able to login to Office 365, however this is not the case.

    Setting an account with an expiry date should stop the account from logging into Office 365 as well.

    628 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    27 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. Suspicious Login Reports and Alerts

    Microsoft needs to include FREE reporting and alerts to paying office 365 subscribers. Apparently the azure reports that would be useful to office 365 subscribers require a paid subscription (according to the 2 tickets I put in with azure support)
    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-view-access-usage-reports.

    The office 365 audit log is a mess and doesn't give a clear picture of all suspicious activity for all users at a glance, e.g. logins from multiple geographies.

    Ideally, admins would be able to get alerts based on suspicious activity. We've had several users accounts get hacked and we've had no idea. People were logging in from…

    617 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    29 comments  ·  Reports  ·  Flag idea as inappropriate…  ·  Admin →
  9. Phishing attacks using Office 365 compromised Accounts/ ATP safe links not working

    Hello Microsoft ATP Team,

    This is to bring to your notice that spammers/phishers have started targeting Office 365 Tenants which creates a mail loop between Office 365 hosted domains and these emails are getting circulated through which accounts gets compromised. We had a lot of incidences happening in our environment, As these emails are getting generated from the actual account hosted in Office 365 the email are considered to be safe and lands in users Inbox. We have ATP safe links policy in place however its not performing the job as expected. ATP is a great feature but we request…

    617 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    31 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

    ATP does not consider mails from other Office 365 tenants, or even mailboxes inside of your tenant, as safe. The best way to put a stop to this is to follow the recommendations in SecureScore for your tenant; and report phishing mails to us promptly. Also, make sure that the sender is not allowed either by the tenant configuration or the user safelist.

  10. Improve message tracing in Exchange online

    We have had a lot of issues with spam, whether its cryptovirus emails getting through, or good emails getting improperly blocked. Because of this, we need good message tracing (to find the emails), which we do not feel we have with exchange online. We would like to make the following suggestions:


    1. Need to be able to trace further than 7 days back without a 4 hour wait per trace. Our previous message tracing system could go back the entire year nearly instantly, but we need at least 30 days without the 4 hour wait per trace. This was pitched as…
    586 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    23 comments  ·  Message Trace  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for taking the time to submit this feedback. Since there are multiple pieces and layers of feedback in this single post, it makes it more difficult than many to address. First, let us share a little about what we’ve been doing. Since this post was made, we have prioritized performance and reliability improvements for both Message Trace (inside 7 days) and Historical Search (typically outside of 7 days). We’ve added details to Message Trace that weren’t there before, decreasing the need to run Historical Searches inside of 7 days. For Historical Search, we have improved the results to be more clear for those who are not familiar with the Exchange Message Tracking log format. Additionally, while we get the total value of Message Trace, we’ve also prioritized reducing the constant need to search & destroy. We’ve made tremendous strides in effectiveness, even as the bad guys got more…

  11. Office 365 mail queue viewer and control

    It will be better if Admins get the option to view the mail queue in Office 365. We will have more control on the email flow if this option is enabled.

    526 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    33 comments  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback.

    Today you can see messages which are “pending” in a queue through Message Trace feature. In the Mail flow Dashboard, you can see messages queued for more than an hour. We’ve also created alerting for this condition. Can you tell us what other things you need and what the scenarios look like / how commonly you need to perform the task?

    This would help us when evaluating this item further.

  12. Allow Settings for Message Expiration Timeout Interval and NDR

    For some error codes related to sending mails, the senders may receive the NDR immediately. However, for some other error codes, the mail server marks the undeliverable messages as a temporary error and the senders doesn't immediately receive an NDR. Instead, Exchange Online repeatedly tries to deliver the message over two days. Only after two days of unsuccessful delivery attempts does the sender receive this NDR.

    For some time critical businesses this is not acceptable. The user has to be informed very quickly (<6 hours) that his Mail was not delivered by now. Then the user can phone the recipient…

    507 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    53 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. Make sure that Exchange Online mailboxes are enabled for auditing

    The big problem with mailbox auditing – for both Exchange on-premises and Exchange Online – is that you must enable it for mailboxes to start recording audit events. If you do not enable auditing for a mailbox, Exchange assumes that you don’t care about what’s going on and captures nothing. When the time comes to search the Office 365 audit log, you get a big fat blank. Microsoft should either enable all EXO mailboxes for auditing or allow tenants to update mailbox plans to ensure that new mailboxes are enabled upon creation.

    463 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    in the plans  ·  19 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add ability to deny EWS and MAPI clients using Basic Authentication, with Client Access Rules for Exchange Online

    Currently, MFA for Azure AD / O365 is useless regarding protection of mailboxes in Exchange Online, as EWS and MAPI clients can still connect to mailboxes using Basic Authentication, even with Conditional Access rules in place to require MFA, and there's no way of denying this server-side on EXO.

    The newly-released Client Access Rules feature promises this functionality in its documentation (see https://technet.microsoft.com/library/mt842508.aspx and https://technet.microsoft.com/en-us/library/dn913650(v=exchg.160).aspx), but unfortunately the functionality is crippled. You can only make rules in the following combinations (info from EXO Engineering team):

    OutlookWebApp: BasicAuthentication, AdfsAuthentication
    ExchangeAdminCenter: BasicAuthentication, AdfsAuthentication
    RemotePowerShell: BasicAuthentication, NonBasicAuthentication
    ExchangeActiveSync: BasicAuthentication, OAuthAuthentication, CertificateBasedAuthentication
    IMAP4/POP3/OfflineAddressBook/PowerShellWebServices/ExchangeWebServices/REST:…

    400 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    12 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for taking the time to provide this feedback. We’ve updated the TechNet documentation (https://technet.microsoft.com/library/mt842508(v=exchg.150).aspx) to clear up confusion around which authentication type and protocol combinations are supported in CARs. Expanding support for more combinations could prevent bad actors with valid credentials from accessing mailbox content, but it wouldn’t help with scenarios like password spray attacks or malicious lockout attempts because CARs are evaluated post-authentication. There’s work underway on a solution that covers a broader array of basic authentication scenarios – we’ll share more details as soon as possible. In the interim, this blogpost (https://cloudblogs.microsoft.com/enterprisemobility/2018/03/05/azure-ad-and-adfs-best-practices-defending-against-password-spray-attacks/) outlines the recommended approach for forcing multi-factor authentication when using AAD and ADFS.

  15. Audit license assignement by subscription / Product

    We should be able to see with subscription / product was assigned or removed to an office 365 Account. In the Actual audit log, there is only few information that is not relevant at all! We must be able to know who and when a specific office 365 workload is assign to a User, example (office 365 pro plus, or Skype for business)

    355 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    11 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  16. Allow alteration to the global Azure AD Password Policy (complexity, length, etc)

    Force special characters in Azure AD password Policy

    I would like the ability to force more complex passwords without the need for a Dirsynced server. The default password policy for the global profile in Azure AD is not strong enough, and I would like some better options for length, complexity and special character requirements.

    352 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    17 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. Re-enable the Exchange Online Activities API (Magic Unicorn)

    Please re-enable the Exchange Online Activities API that allows for forensic investigation of Business E-mail Compromise incidents.

    Business E-mail Compromise is a very serious and active threat for all organizations. By default, Office 365 provides very little auditing capability to investigate this type of incident. Exchange Online mailbox auditing must be proactively enabled by the customer before the breach if they wish to get this level of auditing data.

    On June 18, 2018 it was publicly discovered that Microsoft does maintain this audit data even without the customer enabling it. It was available to all Office 365 customers via this…

    323 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    8 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  18. Advanced Threat Protection Whitelist 2019

    ATP needs a way to whitelist inbound email (IP or domain) from being quarantined as malware. Back in 2016 this issue was resolved by adding exchange mail flow rules to add headers. However, this method no longer works, and Microsoft support (ticket 12611412) confirms that ATP filters before mail rules are applied, and there is no way to whitelist inbound IP's to bypass ATP malware filtering. The only options in the settings is based on recipient. In my case, I want to whitelist to allow a Security Awareness Training provider to send test emails to our users. ATP is incorrectly…

    313 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    23 comments  ·  Malware  ·  Flag idea as inappropriate…  ·  Admin →
  19. Office 365 labels - allow deletion of documents with labels

    Please allow users to delete documents with Office 365 labels and keep such deleted documents in a secure location for the duration of the retention period as described on the following label tooltip in Office 365: ""We'll make sure the labeled content stays put where it currently lives. For example, email messages will stay in mailboxes and docs will stay in SharePoint or OneDrive libraries. If users modify or delete the content, we'll keep a copy of it in a secure location so you can get to it if you need to." At the moment SharePoint documents with labels can't…

    282 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
  20. Preservation Lock enable and disable with special permission or at least with Microsoft Support.

    Preservation Lock can be set so easily that if you click on the policy on the right it will give you the option of on and Off resulting in a lock that even Support can not remove. Either provide a secure way of enabling disabling to the user or at least give it to Microsoft Support to do it on Client's behalf.

    292 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
← Previous 1 3 4 5 115 116
  • Don't see your idea?

Feedback and Knowledge Base