Feedback by UserVoice

Office 365 Security & Compliance

We have partnered with UserVoice, a third-party service and your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy. Please do not send any novel or patentable ideas, copyrighted materials, samples or demos for which you do not want to grant a license to Microsoft.

Welcome to the Security (Protection) & Compliance UserVoice forum. We’re happy you’re here! If you have suggestions or ideas on how to improve Security or Compliance related features in O365, we’d love to hear them!

How it works
◾Check out the ideas others have suggested and vote on your favorites
◾If you have a suggestion that’s not listed yet, submit your own — 25 words or less, please
◾Include one suggestion per post

Thanks for joining our community and helping improve these features in Office 365!

Need Tech Support? Please see the O365 Community for the product or feature you are having issues with, or open a support ticket through your Office 365 administrator portal.

How can we improve compliance or protect your users better in Office 365?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add ability to deny EWS and MAPI clients using Basic Authentication, with Client Access Rules for Exchange Online

    Currently, MFA for Azure AD / O365 is useless regarding protection of mailboxes in Exchange Online, as EWS and MAPI clients can still connect to mailboxes using Basic Authentication, even with Conditional Access rules in place to require MFA, and there's no way of denying this server-side on EXO.

    The newly-released Client Access Rules feature promises this functionality in its documentation (see https://technet.microsoft.com/library/mt842508.aspx and https://technet.microsoft.com/en-us/library/dn913650(v=exchg.160).aspx), but unfortunately the functionality is crippled. You can only make rules in the following combinations (info from EXO Engineering team):

    OutlookWebApp: BasicAuthentication, AdfsAuthentication
    ExchangeAdminCenter: BasicAuthentication, AdfsAuthentication
    RemotePowerShell: BasicAuthentication, NonBasicAuthentication
    ExchangeActiveSync: BasicAuthentication, OAuthAuthentication, CertificateBasedAuthentication
    IMAP4/POP3/OfflineAddressBook/PowerShellWebServices/ExchangeWebServices/REST:…

    358 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      10 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for taking the time to provide this feedback. We’ve updated the TechNet documentation (https://technet.microsoft.com/library/mt842508(v=exchg.150).aspx) to clear up confusion around which authentication type and protocol combinations are supported in CARs. Expanding support for more combinations could prevent bad actors with valid credentials from accessing mailbox content, but it wouldn’t help with scenarios like password spray attacks or malicious lockout attempts because CARs are evaluated post-authentication. There’s work underway on a solution that covers a broader array of basic authentication scenarios – we’ll share more details as soon as possible. In the interim, this blogpost (https://cloudblogs.microsoft.com/enterprisemobility/2018/03/05/azure-ad-and-adfs-best-practices-defending-against-password-spray-attacks/) outlines the recommended approach for forcing multi-factor authentication when using AAD and ADFS.

    • Active Directory AccountExpires attribute does not stop login to Office 365

      We discovered a security flaw in Office 365 whereby if you set an account in Active Directory to expired, the user can still login to Office 365.

      We believe this is a major security flaw as many customers will believe if the user can no longer log in to the Active Directory domain then they must also not be able to login to Office 365, however this is not the case.

      Setting an account with an expiry date should stop the account from logging into Office 365 as well.

      259 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        12 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
      • Disable download option at library in SharePoint

        At site permissions, by the permission levels option, I can't configure a level where the user just can read online the content of library and don't be able to download the content.That is to say, I can't disable or restrinct the download option even when:
        1. I assign a just read permission and/or
        2. I activate de IRM to the library. This option force to acquire a licensed and compatible software to read the PDF documments. Is not what our organization are looking for.

        This is a basic option that should be available, don't you think?

        138 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          7 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
        • Add 3rd party Authenticator support to Office 365 2-factor auth

          Please add support for 3rd party 2-factor authenticator apps like LastPass Authenticator or Google Authenticator by adding support for RFC 6238 "TOTP: Time-Based One-Time Password Algorithm".

          I don't want to fill my phone with vendor-specific authenticator apps.

          https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm

          138 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            11 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
          • Security & Compliance Center PowerShell - ADAL Support for MFA

            PowerShell for Security & Compliance Center Needs ADAL Support, as right now it uses the Exchange connector to the Basic auth endpoint. Exchange Online PowerShell has an ADAL client now, where's the one for Security & Compliance Center?

            120 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              5 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
            • Increase security for MFA App Passwords – ‘flaw in security’

              There are a few security issues with App Passwords while using MFA. The security around App Passwords needs to be strengthened.
              First, App Passwords of all Alpha lower case is not as secure as the current passwords policies our users are using. By enabling MFA, our clients and users are complaining about the strength of the App Password.
              Second, App Passwords that can be re-used are lessening the password security of user accounts. This allows users to copy/paste or write down the password to be used again and again.
              Suggestions.
              - Increase the complexity of the App Password (upper case,…

              120 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                6 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
              • Add a "Trust this Device" option to reduce frequency of multi-factor prompt

                Most multi-factor/ 2-factor authentication schemes allow the user to check a box when they login using the second factor of authentication to say "Trust this Device", meaning "Don't ask for the second-factor code again on this device (optionally: for X days)". [Google, LastPass, Yahoo, ...]

                Microsoft Office 365 does not have this, which makes good login security unnecessarily burdensome, as the user must have their second factor authentication device with them at all times and use it every time they login.

                Some users will refuse to use it at all, given the extra burden. Others will use it but be…

                96 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  5 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
                • Conditional Access by Network Location

                  Want to bring network location-based conditional access policy to not only SharePoint but also the whole of office365.

                  94 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    3 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
                  • Advanced Threat Protection and Dynamic Delivery of emails

                    With Dynamic Delivery, email is delivered with a provisional attachment that indicates that the original attachment is being scanned by ATP and will be delivered soon. If this email if forwarded before the original attachment is released by ATP, the recipient of the forwarded email will receive the provisional attachment and never see the original attachment once released to the first recipient.
                    This is a problem for business where many executives on the move use mobile phones to routinely forward emails to team members for follow-up. We also have users who setup Outlook rule that forward emails to other users. …

                    87 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      3 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
                    • Enable geofencing in Office365

                      Enabling geofencing will be a good option to prevent access from different parts of the world.

                      85 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        3 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
                      • Fix Advanced Threat Protection Attachment Scan When Email Is Auto-Forwarded

                        Currently ATP fails to release an attachment (continually displays ATP Scan in Progress in place of actual attachment) when the email with the "stuck" attachment has been auto-forwarded by a user with an Out-of-Office rule in place within the same email domain. Strangely, the email attachment is scanned just fine from the auto-forwarding recipient and can be manually forwarded to any recipient, but if it's auto-forwarded, the attachment stays stuck in an never displays as available. This has been reported to MS Support who attempted a work-around (which failed) Office 365 Ticket #30126-5487056 .

                        66 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          7 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
                        • Allow users to migrate their Microsoft accounts to Office 365

                          When a firm establishes an Office 365 tenant, they should have the option to allow users to migrate their existing Microsoft Account identities to the company account. This should migrate their existing OneDrive and other consumer data to the corporate account as well as "merge" the identities so access given to other Office 365 tenants' SharePoint and other sites transfers over. Users could also opt not to migrate, in which case they should be required to "vacate" the company domain and migrate to an outlook.com or other consumer branded domain, much like the old Lync/OCS federation process that took place…

                          60 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            1 comment  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
                          • A bug when creating a Retention Policy for Skype for Business in the O365 Admin portal

                            When creating the policy, the * means all, but it still forces you to select users to add to the retention policy.

                            53 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              4 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
                            • More Than 8-Character Minimum Password Requirement

                              Allow for the current 8-character minimum requirement to be changed to something longer (i.e. – 10 or 12). Allowing for an 8-character minimum password length ensures mostly that.

                              Changing character density from 8 to 10 characters increases offline resilience from less than a day to almost two (2) decades, and 12 characters to over a thousand centuries [ref: Gibson research Center’s ‘Haystack’ page - https://www.grc.com/haystack.htm ].

                              Allowing administrators the option of lifting this minimum not only forces users to create potentially more secure passwords, but also allows them to use them longer without needing to change them… potentially until there…

                              53 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                1 comment  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
                              • E-mail (OWA) Access alert to user as well as Admin from Non-Regular-Machine

                                If user tried to access mail from non regular machine, I think its better alert has to be sent to user as well as Admin.Based on the user or Admin confirmation, mail has to be accessible otherwise it has to be blocked temporarily (restricted) and it would be better if we get the access location also.

                                49 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  10 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
                                • Ability to limit access to Online Archive by Client Location

                                  We'd like the ability to limit access for users to their O365 Online Archives by client location/IP.

                                  For example, if the user is connected to the corporate network, their online archive should be accessible through Outlook. If the user is away, working from home, etc, the online archive is not available/accessible.

                                  Whilst we have security measures in place (like MFA) for accounts if a user's credentials are stolen, the most common access would be via OWA from an external location/IP. By archiving (moving) old/sensitive email to the online archive, and restricting access by location, we could effectively limit the amount…

                                  45 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Ethical Wall for Skype for Business Online

                                    Add the ability to implement an ethical wall in Skype for Business Online. This is required in some industries where you have business units (within the same organization / tenant) that are not allowed to communicate with one another for regulatory reasons. For example, an Investment Banking group and a Equities Research group.

                                    39 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      2 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Implement Safe Attachement senders white list

                                      There needs to be a way of setting certain senders emails not to be scanned by ATP. i.e a whitelist of safe senders so Safe Attachments doesn't kick in and scan.

                                      An example is internal scanners that scan to email. Users then have to wait for their scanned document to be interrogated by ATP.

                                      37 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        3 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Single site for XML whitelist of all cloud services addresses

                                        Currently there is huge list of different cloud addresses here:
                                        https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#bkmk_portal-identity
                                        Is there any possibility to create single-file-whitelist of those addresses and share it somewhere. For example same way you have ADFS-schema address hard coded.
                                        We have customers that want:
                                        1. Restrict internet use
                                        2. Still use MS cloud services
                                        That is not currently possible, due to the fact, that the list is almost impossible to maintain manually
                                        We are using Windows Firewall and IPSEC for restricting our customers internet browsing, and we have to maintain those white-list manually allwasy when any change is done
                                        - Maybe in future, the…

                                        36 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          1 comment  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Allow alteration to the global Azure AD Password Policy (complexity, length, etc)

                                          Force special characters in Azure AD password Policy

                                          I would like the ability to force more complex passwords without the need for a Dirsynced server. The default password policy for the global profile in Azure AD is not strong enough, and I would like some better options for length, complexity and special character requirements.

                                          34 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4 5 9 10
                                          • Don't see your idea?

                                          Feedback and Knowledge Base