Feedback by UserVoice

Office 365 Security & Compliance

We have partnered with UserVoice, a third-party service and your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy. Please do not send any novel or patentable ideas, copyrighted materials, samples or demos for which you do not want to grant a license to Microsoft.

Welcome to the Security (Protection) & Compliance UserVoice forum. We’re happy you’re here! If you have suggestions or ideas on how to improve Security or Compliance related features in O365, we’d love to hear them!

How it works
◾Check out the ideas others have suggested and vote on your favorites
◾If you have a suggestion that’s not listed yet, submit your own — 25 words or less, please
◾Include one suggestion per post

Thanks for joining our community and helping improve these features in Office 365!

Need Tech Support? Please see the O365 Community for the product or feature you are having issues with, or open a support ticket through your Office 365 administrator portal.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. 1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. Content Search filter export/report results

    So currently the only option to export results from Content Searches is to either view the very limited preview (which currently doesn't expand the Sender: address to a full email address), and I think might have numerical restrictions, or to export full emails.
    We had a business requirement come in that Content Search would've helped us achieve had it had the ability to filter the output emails down to just certain fields.
    The requirement was to go back in time searching across all emails in the organisation to get a large list of only the sender domains.
    Currently the only…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Compliance Manager  ·  Flag idea as inappropriate…  ·  Admin →
  3. BUG: Unusual volume of file deletion

    The "Unusual volume of file deletion" alert rule is picking up local PC file deletes. This includes files in the "AppData" folder, which have nothing to do with M365. This needs to be fixed, otherwise this rule is pointless and has to be disabled.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Email auto-forwarding ATP policy and reporting

    For MC221113 "Office 365 ATP External email forwarding controls and policy change"

    Align the ATP forwarding policy rule options with the Auto-Forwarding Report categories, instead of just Automatic/On/Off. Since the forwarding report gives numbers by 3 categories (By mail flow rules; By Inbox rules; By SMTP forwarding), would be nice to enable/disable each separately - so we can allow SMTP forwarding when an admin configures it on an account, but disable a user creating their own rules to forward emails externally.

    https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/mfi-auto-forwarded-messages-report?view=o365-worldwide
    https://security.microsoft.com/antispam

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  5. Include client source port in authentication logs

    Authentication and audit logs across M365 (OCAS, AzureAD, Sentinel, Office Audit Log) record the source/client IP but do not include the client port.

    When a login attempt ocurrs from behind a NAT/PAT device, it's usually not possible to identity the user or device behind NAT/PAT without the client source port. Multiple users could have been assigned the same IP and the only way to distinguish users is which port they were assigned for the NAT translation session.

    Including the source port would allow us to perform incident response on suspicious logins and better identify users or devices who attempted to…

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Reports  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow users to delete quarantined emails from the quarantine list

    This will make it easier to check the queue over time instead of waiting for the messages to expire. It appears this was requested previously, granted, but then taken away again. Please bring it back!

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  7. Sort, Categorize and search within Microsoft Authenticator

    To be able to efficiently find the right account it would be great to search for the right account

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. Legal Hold Custodian Report

    Legal Hold Custodian Report Export that includes custodian names, email, and data sources for each custodian.

    the "Export" function just exports the case names, status, created date, "last modified date", and "last modified by".

    It would be great if we added "custodian name", email, Role, and status to that report.

    We provide monthly status reports to inside counsel and manually add the custodian data to each case.

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  eDiscovery  ·  Flag idea as inappropriate…  ·  Admin →
  9. Include Reporting Spam with Online Email: I don't us Outlook and started receiving SPAM/PHISHING email form someone using onmicrosoft.com

    Your reporting method of attaching the spam/phishing email does not work if using an online service. My ISP does not allow attaching email. I can only forward it. Whoever this is is also exposing my email address to everyone on their list which will open my eddress to other spammers.

    You need to police your users from this abuse.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  10. About permissions required to run audit logs

    *English follows Japanese

    ■Title(件名):
    監査ログを実行できる権限について
    About permissions required to run audit logs


    ■Description(内容):
    現在の Office 365 監査ログでは利用の有無のみの設定しかできません。
    不要なアクティビティの取得を避けるため、アクティビティ毎に取得可否を設定できるよう機能の拡張を要望します。

    Currently the only settings governing use of the Office 365 audit logs are to enable/disable use.
    Please make it possible to allow/deny users from getting each activity separately so that users cannot get activity information they do not need.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  11. Set user as 'not junk' from quarantine page

    Currently when emails go into Quarantine (after falling into the 'prevented phishing messages' category), I cannot release these directly from the summary email. Instead users have to follow the link to the quarantine section of, which allows them to release the message from quarantine, but doesn't give any useful option to add them to the whitelist/not-junk list.

    Could this be added please?

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. Add time search in addition to date to new-complianceSearch and other eDiscovery tools

    Add time search in addition to date to new-complianceSearch and other eDiscovery tools.

    Add ability to search a specific time frame in addition to a specific date range.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  eDiscovery  ·  Flag idea as inappropriate…  ·  Admin →
  13. Improve the custom email and policy tips for user notifications

    Currently you are only able to customise the email subject, text and policy tip messages for user notifications that appear when DLP policy matches occur with plain text.

    Although this does recognise email addresses, it would be better if this was able to host rich text to include a more meaningful message.

    Taking this a step further, it would be better if you could have a custom message for each application too, without having to create duplicate policies for each app.

    For example, if you have a DLP policy that's applied to SharePoint and Exchange, having the ability to customise…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  DLP & Transport Rules  ·  Flag idea as inappropriate…  ·  Admin →
  14. Identify which items have been triggered in Event Based Retention

    We need the ability to identify which records in a SharePoint library (containing all records that have a specific category of event based retention label) have previously been triggered by an event, and which ones are still waiting to be triggered by an event. According to the response to a support ticket logged with Microsoft Support, there is currently no way to identify whether a record has been triggered and is counting down its retention duration or not, until the record eventually reaches the end of the countdown and goes to disposition review. Seeing as the records in our SharePoint…

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
  15. report phish

    When a user uses the Report Message add-in in Outlook to report a phishing message, it triggers all kinds of excellent Automated Investigation and Response things - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/automated-investigation-response-office?view=o365-worldwide#example-a-user-reported-phish-message-launches-an-investigation-playbook -

    However, we currently use a 3rd-party tool to report Phishing messages (KnowBe4 Phish Alert) because it can give the User positive reinforcement for reporting KnowBe4's test messages.
    I set up the KnowBe4 to also report to phish@office365.microsoft.com , but this does not trigger the Automated Investigation - although we usually do see a PhishZAP investigation a little bit later (presumably after the exchange backend has had time to crunch through the…

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  16. Detect specific pattern in HTML source code of mail

    Ability to match for specific regex in mail body html source code to detect technique that attacker used to evade detection and bypass EOP

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  17. Suppress prepended External Email banners in preview mode

    Prepending email messages from external users is easy to set up and works very well. The problem is that when viewing messages on mobile devices the external message banner is all that is seen, and there is no way to preview the actual message without opening each message. If the banner can be automatically prepended to the body of an email message would it be possible to suppress the message in preview mode and only show it once the message is opened?

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  DLP & Transport Rules  ·  Flag idea as inappropriate…  ·  Admin →
  18. Retention Policy - SharePoint - Allow Site Deletion

    With SharePoint protected by a retention policy users are not able to delete sites. We should be allowed to delete sites, yet content should remain discoverable via eDiscovery. For instance, I have a Team Site I no longer need and want to remove from my view. Or I created a test site to explain how to do something and I can't get it to go away. Modifying the retention policy to exclude sites to allow deletion is not a useful solution. Please fix.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
  19. If you share files uploaded to OneDrive with external users, DLP will not detect them.

    If you share files uploaded to OneDrive with external users, DLP will not detect them.

    Upload the Contents file containing Sensitive Data to OneDrive.
    DLP will not detect sharing with external users.

    OneDrive's sharing function is a basic function that users use very naturally, such as attaching a file to their email.

    If Sensitive Data included Content is delivered to external users using OneDrive sharing function, DLP will request modification so that it can be detected.

    The only way to detect this now.
    1. Record file information with Sensitive Data in DLP Events
    2. Check if recorded file is an…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  DLP & Transport Rules  ·  Flag idea as inappropriate…  ·  Admin →
  20. Supplementary filters in Mailflow status report

    Today in the Mailflow status report we wan filter on few things.(dates, inbound/outbound/intraorg messages).
    https://protection.office.com/mailflowStatusReport?viewid=funnel
    Would be great if we could filter on at list domains to have a global view of a specific domain in the tenant.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Reports  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base