Feedback by UserVoice

Office 365 Security & Compliance

We have partnered with UserVoice, a third-party service and your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy. Please do not send any novel or patentable ideas, copyrighted materials, samples or demos for which you do not want to grant a license to Microsoft.

Welcome to the Security (Protection) & Compliance UserVoice forum. We’re happy you’re here! If you have suggestions or ideas on how to improve Security or Compliance related features in O365, we’d love to hear them!

How it works
◾Check out the ideas others have suggested and vote on your favorites
◾If you have a suggestion that’s not listed yet, submit your own — 25 words or less, please
◾Include one suggestion per post

Thanks for joining our community and helping improve these features in Office 365!

Need Tech Support? Please see the O365 Community for the product or feature you are having issues with, or open a support ticket through your Office 365 administrator portal.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. ATP insight as to what was found or not found

    Blind trust is difficult, especially when a product is not 100%. ATP for O365 is just such a product. While marketing will tell you ATP is better than the rest, reality shows us that all security products will produce false positives and false negatives. The real question from a security perspective is how did the automated process come to its conclusion on any given assessment. If the attachment or URL has know malware, that easy. However when Microsoft deems a site or file as benign, a simple screen shot showing what was found or not found would be a great…

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. ediscovery

    Create eDiscovery hold targeting all users with search criteria.
    Is there a way to target all users in our tenant for an eDiscovery hold action besides individually selecting each account? Is there a 'select all' option for users before specifying the query criteria?
    Microsoft Engineering Team, see the work already discussed at:
    [Case #:21854959] - Need to create eDiscovery targeting all users

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  eDiscovery  ·  Flag idea as inappropriate…  ·  Admin →
  3. Your Office 365 Advanced Threat Protection is ********

    It doesn't let me go the page. Stop "protecting" us. Thanks

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  4. Disable user SETTING external forward address in forwarding or Inbox rules

    Add option to allow or deny specific users setting external email addresses in forwarding settings or Inbox rules that forward received emails. The recently implemented Auto-Forwarding Policy (MC221113) can't be implemented for our tenant as it will cause users to not receive emails sent to them that they have tried to forward and they (and the senders) may not be aware they are not receiving them. By not allowing them to set external forwarding addresses the same goal would be met without the users not being aware they won't receive their emails.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. Message trace doesn't find email blocked due to blacklisted IP

    Microsoft confirmed me that it's not possible to trace an email sent by a Blacklisted IP.
    Then what is the message trace for? Look for delivered messages? Message trace should return all processed emails to help tenant administrators in their work

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Message Trace  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow creating alert for deleted Stream video and deleted team channel in O365

    Please It will great if the deleted team channel and deleted stream video can be included in the security Alert option in O365

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. Need report for blocked External Forwarding NDR 5.7.520 Access Denied.

    I turn off external forwarding feature in S&C portal to restrict users from auto forwarding email to external address, which is working fine now after waiting for 24hrs but now need to get a report of all the sender who tried to forward emails, I can't find any such report in Compliance portal. The only way I can see the list is using Extended Message trace but that needs to generated every day and I like MS to give me a better option for the same.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. product compare doc

    Microsoft Product compare, https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Dz8M, says that Core eDiscovery, which includes legal hold, nor Email archiving are part of Microsoft 365 E3 subscription. However, they are part of the Microsoft 365 E3 licensing, just the advanced features are not.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  eDiscovery  ·  Flag idea as inappropriate…  ·  Admin →
  9. Better handling of quarantined emails for end-users

    There's lots about how the quarantined mail notifications work, the fact it is disabled by default and has limits on how frequently people are notified about quarantined mails.

    There's a simple way to address this. Make quarantine work more like Junk i.e.
    - have a Quarantine folder in Outlook that lists all mails currently in quarantine (sender, subject and reason for quarantine).
    - have options on each mail to release or remove
    - update the Quarantine folder in real-time

    That way, right from the start end-users can see mails are being quarantined and do something about it if needed. No…

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  10. Some file access/page view actions are not shown in the log history

    *English follows Japanese

    ■Title(件名):
    監査ログで、アクセスやファイルを開いた履歴の一部が表示されない
    Some file access/page view actions are not shown in the log history


    ■Description(内容):
    監査ログで、連続してアクセスすると履歴の一部が "FileAccessedExtended " や "PageViewedExtended" などとして一括されてしまうため、すべての履歴を出力できる機能の拡充を希望します。

    In the audit logs, continued accesses show in the logs as single instances of “FileAccessedExtended” or “PageViewedExtended” etc, so please make them show individually in the logs.

    21 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  11. Quarantine: Filter to see released emails

    Please provide a method to filter released messages in quarantine. I would like to see only releases messages.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Reports  ·  Flag idea as inappropriate…  ·  Admin →
  12. Have audit log search turned on by default to every new tenant

    Have audit log search turned on by default to every new tenant

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. Exchange Transport Rule for spoofed email using compauth reason code within Authentication-Results header

    When DMARC isn't enforced to restrictive policy yet for any domain, some illegitimate spoof will still go through and some other legit emails, sent by partners must not be blocked.
    It could be easier and reduce the amount of false positive if we could use the "CompAuth" value within the Authentication-Results.
    https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-message-headers?view=o365-worldwide

    When you check spoofed email header such as the one under :
    - Authentication-Results spf=[...]; dmarc=fail action=none header.from=mydomain;compauth=fail reason=001
    you'll notice the compauth and reason at the end. Today, we are not able to match them.

    Composite authentication is usually set to none or fail for spoofed email…

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  14. Release Quarantined Emails From Threat Explorer

    When working primarily out of the Threat Explorer, you can identify emails that have been quarantined. However, releasing or deleting those emails can only be done when manually navigating to the quarantine page. You should be able to release/delete these messages via the Threat Explorer rather than having to work out of different areas to complete this.

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  15. Customize Alert Policies

    Allow for exceptions to Alert Policies. For example, the “Phish URLs Removed After Delivery” rule is prone to False Positives. Being able to exclude addresses from the Alert would increase the fidelity of the Alert.

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  16. Safe Links User Clicks

    In the Threat Explorer, the “User Clicks” tab displays when a URL was accessed in an email. However, you can not see which user clicked the email when multiple results are displayed. Displaying the username of who clicked the link would help with remediation for that user.

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  17. Message Trace Details in the Threat Explorer

    Including the data displayed in a Message Trace within the Threat Explorer would be useful when troubleshooting email issues. For example, the Message Trace shows what DLP/Mail Flow rules were applied to an email. Our organization works primarily out of the Threat Explorer, so being able to get this data without having to work out of multiple areas in the Security & Compliance Center would be helpful.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow customized content filtering

    Create a section in the anti-spam policy where you can add custom keywords that can be marked as spam. This can currently be done via a mail-flow rule, but having it available in the anti-spam policy would have less potential impact than a mail-flow rule. Also, being able to add additional file extensions to the anti-malware policy would be useful. It currently only allows you to filter extensions from a predefined list.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  19. Enable Commenting for Allow/Block List Entries

    Allow for commenting when making entries into the Allow/Block lists in the Anti-Spam & Connection Filter policies. These lists are large for our organization and we have to maintain an external list to reference why an entry was made. Being able to reference a reason of why the entry was added within the console would be a huge time saver when performing maintenance.

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  20. Mail Flow rules trace results show failures when approval action is required

    When running a mail flow trace against a message that had rules (approval) email. The message seems to be delivered but the trace shows failure.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Message Trace  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base