Feedback by UserVoice

Office 365 Security & Compliance

We have partnered with UserVoice, a third-party service and your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy. Please do not send any novel or patentable ideas, copyrighted materials, samples or demos for which you do not want to grant a license to Microsoft.

Welcome to the Security (Protection) & Compliance UserVoice forum. We’re happy you’re here! If you have suggestions or ideas on how to improve Security or Compliance related features in O365, we’d love to hear them!

How it works
◾Check out the ideas others have suggested and vote on your favorites
◾If you have a suggestion that’s not listed yet, submit your own — 25 words or less, please
◾Include one suggestion per post

Thanks for joining our community and helping improve these features in Office 365!

Need Tech Support? Please see the O365 Community for the product or feature you are having issues with, or open a support ticket through your Office 365 administrator portal.

How can we improve compliance or protect your users better in Office 365?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Make sure that Exchange Online mailboxes are enabled for auditing

    The big problem with mailbox auditing – for both Exchange on-premises and Exchange Online – is that you must enable it for mailboxes to start recording audit events. If you do not enable auditing for a mailbox, Exchange assumes that you don’t care about what’s going on and captures nothing. When the time comes to search the Office 365 audit log, you get a big fat blank. Microsoft should either enable all EXO mailboxes for auditing or allow tenants to update mailbox plans to ensure that new mailboxes are enabled upon creation.

    363 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      in the plans  ·  15 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
    • Audit license assignement by subscription / Product

      We should be able to see with subscription / product was assigned or removed to an office 365 Account. In the Actual audit log, there is only few information that is not relevant at all! We must be able to know who and when a specific office 365 workload is assign to a User, example (office 365 pro plus, or Skype for business)

      231 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        9 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
      • Re-enable the Exchange Online Activities API (Magic Unicorn)

        Please re-enable the Exchange Online Activities API that allows for forensic investigation of Business E-mail Compromise incidents.

        Business E-mail Compromise is a very serious and active threat for all organizations. By default, Office 365 provides very little auditing capability to investigate this type of incident. Exchange Online mailbox auditing must be proactively enabled by the customer before the breach if they wish to get this level of auditing data.

        On June 18, 2018 it was publicly discovered that Microsoft does maintain this audit data even without the customer enabling it. It was available to all Office 365 customers via this…

        198 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          0 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
        • MessageBind

          The action of when a message was viewed in the preview pane or opened by the owner of the mailbox is not logged by mailbox audit logging.
          Please have the "MessageBind" action logged for the owner.

          171 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            12 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
          • Mailbox Auditing enabled by default

            We would like to have mailbox auditing enabled by default for all mailboxes in Office 365. We should not have to manually enable for new users as they are added (via PS). Can we not have a way of enabling this for all mailboxes on the tenant?

            141 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              5 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
            • Allow Exchange Admin Auditing retention to be increased past 90 days

              The commands Set-AdminAuditLogConfig -AdminAuditLogAgeLimit do not work on 365. We have a requirement to keep all admin logs for 3 years but this cannot be performed.

              140 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                12 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →

                At this point, the Office 365 service only allows for the retention of audit entries for 90 days. Can you provide us more information regarding your requirement to keep logs for 3 years. Is this a legal obligation? Please provide details around the specific audit entries you would like to retain for an extended period of time.

              • Allow us to extract the unified audit logs more than 90 days ago

                Allow us to extract the unified audit logs more than 90 days ago

                I think that many large enterprises have this desire in security policy.

                99 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  3 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
                • Audit Log Functionality for New Inbox / Forwarding Rule / Mass Failed Logins

                  As a support provider I've seen an influx of fraudulent access cases. I would like to see an audit log option (and alert) for Inbox and Forwarding Rules as well as for Mass Failed Logins.
                  I know that for E5 and Advanced Security Management subscribers they can create something for failed logins but with this becoming more common place I think the people would appreciate this functionality.

                  61 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    4 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
                  • Add search for failed login attempts to Audit Log Search

                    Right now the audit log search allows for searching user sign-ins but not failed login attempts. This can be accessed by exporting the events but having that feature available in the search would make it more convenient to get an at-a-glance view of failed attempts and the IP addresses that are attempting to get access. This is not to say I don't trust Microsoft's ability to detect suspicious logins; it's more for our own situational awareness of where *********** attempts are coming from.

                    60 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      2 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
                    • Allow us to create alerts for sign in Failures and Successes based off of IP Geo Location. Alerts if log in success outside of country.

                      I would like to Create and alert if there are failed login attempts or successful login attempts from IP addresses originating outside of my City/State/Country.

                      Allow us to either white list IP addresses and alert for any not on the white list. Blacklist IP addresses and alert based off of just black list. Select Country regions and alert if selected countries IP addresses are the originating IP. Allow us to alert for only failures, only successes, or both.

                      54 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        5 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
                      • Extend the Audit Log to hold records for longer than ninety days

                        The Audit Log's functionality in Office 365 is excellent but the logs are only held for ninety days rolling.

                        Due to this we are having to look at third party solutions to export the logs automatically, but this would be much easier if you extended the logging period out to a much longer period - years would be better than months.

                        51 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          7 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
                        • granular audit logging

                          We are a hospital and we need granularity on if an account got breached the timestamp of when the email was last previewed/read/deleted or moved.

                          48 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            0 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
                          • Allow SharePoint Auditing Alerts to be configured for an individual site or site collection.

                            This is a big compliance gap for us at the moment. When giving site owners full ownership of their site we are unable to provide them with alerts on permission changes or file access/download. This is available to them with our file share compliance tool and is limiting the adoption of SharePoint.

                            39 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              1 comment  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
                            • Delegate Audit Log access by Activity Type

                              Please add the ability to delegate read-access to audit logs by Activity type. For example, access to just "Power BI activities" audit logs, or "Microsoft Teams activities" audit logs.

                              This would be useful as different groups within IT manage the usage of different O365 services, yet they have to be given access to all or nothing.

                              38 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                1 comment  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
                              • external user Reports

                                Please provide detailed auditing of which files have been accessed by external users.

                                36 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  1 comment  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
                                • Allow journaling into Office 365 mailbox

                                  Either sell a separate Journaling license if it is more expensive to keep journal on Office 365 and price the license according to data amounts like $10 per 100GB/month. Or have an option to put Litigation hold on all mail traffic going through the tenancy. Currently only mailboxes with licenses assigned can have litigation hold so getting those licenses for all shared mailboxes would help a little but would be very costly as shared mailboxes will not need the office or any other licensed features. Even when licensing all shared and user mailboxes, that would not keep the mail that…

                                  35 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    1 comment  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
                                  • An event log needs to be created for OWA logoff or session timeout. This is critical for forensics investigations.

                                    Having this information is beneficial for a potential compromised account or investigations processed by HR. Not having these event logs seems contrary to good security practices.

                                    35 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      1 comment  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Support audit events on List Items, not just files/attachments

                                      Audit events on list items are not available via the Security & Compliance Center, nor via the Office365 Management API. This is a functional gap compared to the audit log reports for a site collection, which do contain audit events on list items.

                                      33 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        1 comment  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Report on how users signed into Office365 services

                                        I have a need to be able to understand how/where a user logged in from. I can see the IP address and the time but its not clear to know if they signed into the Web Portal, leverage powershell, or just used one of the office clients. It would be great as part of the Security and Compliance center I could also report in how the user connected.

                                        26 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          2 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Add filter options for new SharePoint external sharing

                                          The activity filter on the Audit log search does not include the Operations added with the new SharePoint external sharing. (https://support.office.com/en-us/article/What-s-new-in-sharing-in-first-release-cc78357c-6d48-499c-9cc7-dae447d0d391?ui=en-US&rs=en-US&ad=US). I need to be able to filter my search to SecureLinkCreated, SecureLinkDeleted, AddedToSecureLink, and RemovedFromSecureLink.

                                          25 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            3 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4 5 6 7
                                          • Don't see your idea?

                                          Feedback and Knowledge Base