Feedback by UserVoice

Office 365 Security & Compliance

We have partnered with UserVoice, a third-party service and your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy. Please do not send any novel or patentable ideas, copyrighted materials, samples or demos for which you do not want to grant a license to Microsoft.

Welcome to the Security (Protection) & Compliance UserVoice forum. We’re happy you’re here! If you have suggestions or ideas on how to improve Security or Compliance related features in O365, we’d love to hear them!

How it works
◾Check out the ideas others have suggested and vote on your favorites
◾If you have a suggestion that’s not listed yet, submit your own — 25 words or less, please
◾Include one suggestion per post

Thanks for joining our community and helping improve these features in Office 365!

Need Tech Support? Please see the O365 Community for the product or feature you are having issues with, or open a support ticket through your Office 365 administrator portal.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. 2,083 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    102 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow Partners to access the Security and Compliance Center

    Please grant Partners the ability to access the Security and Compliance Center through the Partner Admin portal.

    1,098 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    65 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. Improve message tracing in Exchange online

    We have had a lot of issues with spam, whether its cryptovirus emails getting through, or good emails getting improperly blocked. Because of this, we need good message tracing (to find the emails), which we do not feel we have with exchange online. We would like to make the following suggestions:


    1. Need to be able to trace further than 7 days back without a 4 hour wait per trace. Our previous message tracing system could go back the entire year nearly instantly, but we need at least 30 days without the 4 hour wait per trace. This was pitched as…
    584 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    23 comments  ·  Message Trace  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for taking the time to submit this feedback. Since there are multiple pieces and layers of feedback in this single post, it makes it more difficult than many to address. First, let us share a little about what we’ve been doing. Since this post was made, we have prioritized performance and reliability improvements for both Message Trace (inside 7 days) and Historical Search (typically outside of 7 days). We’ve added details to Message Trace that weren’t there before, decreasing the need to run Historical Searches inside of 7 days. For Historical Search, we have improved the results to be more clear for those who are not familiar with the Exchange Message Tracking log format. Additionally, while we get the total value of Message Trace, we’ve also prioritized reducing the constant need to search & destroy. We’ve made tremendous strides in effectiveness, even as the bad guys got more…

  4. Add ability to deny EWS and MAPI clients using Basic Authentication, with Client Access Rules for Exchange Online

    Currently, MFA for Azure AD / O365 is useless regarding protection of mailboxes in Exchange Online, as EWS and MAPI clients can still connect to mailboxes using Basic Authentication, even with Conditional Access rules in place to require MFA, and there's no way of denying this server-side on EXO.

    The newly-released Client Access Rules feature promises this functionality in its documentation (see https://technet.microsoft.com/library/mt842508.aspx and https://technet.microsoft.com/en-us/library/dn913650(v=exchg.160).aspx), but unfortunately the functionality is crippled. You can only make rules in the following combinations (info from EXO Engineering team):

    OutlookWebApp: BasicAuthentication, AdfsAuthentication
    ExchangeAdminCenter: BasicAuthentication, AdfsAuthentication
    RemotePowerShell: BasicAuthentication, NonBasicAuthentication
    ExchangeActiveSync: BasicAuthentication, OAuthAuthentication, CertificateBasedAuthentication
    IMAP4/POP3/OfflineAddressBook/PowerShellWebServices/ExchangeWebServices/REST:…

    400 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    12 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for taking the time to provide this feedback. We’ve updated the TechNet documentation (https://technet.microsoft.com/library/mt842508(v=exchg.150).aspx) to clear up confusion around which authentication type and protocol combinations are supported in CARs. Expanding support for more combinations could prevent bad actors with valid credentials from accessing mailbox content, but it wouldn’t help with scenarios like password spray attacks or malicious lockout attempts because CARs are evaluated post-authentication. There’s work underway on a solution that covers a broader array of basic authentication scenarios – we’ll share more details as soon as possible. In the interim, this blogpost (https://cloudblogs.microsoft.com/enterprisemobility/2018/03/05/azure-ad-and-adfs-best-practices-defending-against-password-spray-attacks/) outlines the recommended approach for forcing multi-factor authentication when using AAD and ADFS.

  5. Allow dynamic retention policy based on group membership

    The below is too great a restriction and renders the retention policy useless.

    Groups selection confirmation

    The specified groups will be expanded so that an In-Place Hold can be put on the mailboxes in these groups. Only the mailboxes that are currently members of these groups will be placed on hold. Mailboxes added to or removed from these groups won't be added or removed from this hold. After setting the group for the location, the new member changes for this group will not auto apply to this location settings. Do you want to expand these groups?

    215 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
  6. Compliance admins should be able to delete labels marked as record

    Under Classifications, a label created and marked as Record cannot be later changed or, more importantly, deleted by any administrator. As an admin can remove a document from bearing the status of record, they should therefore be able to delete a label with Record status. The combination of Record and Delete after 'x' years is very dangerous - not to mention a department may update their requirements in time.

    202 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
  7. Allow powershell scripting in Advanced eDiscovery

    I have scripted out the entire eDiscovery process in E3 eDiscovery which allowed us to save time and money, and repeat searches with minor variations very easily. With Advanced eDiscovery, I am unable to do so. Please add powershell scripting support (or provide the documentation) so we can streamline our collection and export processes.

    198 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    working on it  ·  2 comments  ·  eDiscovery  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow the ability to delete a retention label definition in S&C Center if 'Record' classification

    If you've created a retention label in the Security & Compliance Center and have checked the 'Use label to classify content as a "Record"' checkbox, I would like the ability to delete the label under certain circumstances. If I've never used it, it's not published in any policy, I should be able to delete it. I've set up several "test" labels with this checkbox checked and there is no way (either thru the UI or thru PowerShell) to delete the label definition. Example: if you create a retention label and select the 'record' checkbox, save it and then immediately try…

    143 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
  9. delete content from content search through gui not using New-ComplianceSearchAction

    Currently users with the ediscovery role can run search for content and download that content. Using the New-ComplianceSearchAction -purge -softdelete you can delete this content (which we use for deleting spam or malware emails out of mailboxes). We do not want our security operations team to use powershell to complete these deletes so we have to write a gui to provide this functionality. Please enable the ability to complete deletes within the SCC itself

    127 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    9 comments  ·  eDiscovery  ·  Flag idea as inappropriate…  ·  Admin →
  10. Need to have the limit of 100 site collections increased for inclusion/exclusion in a retention policy.

    Need to have the limit of 100 site collections increased for inclusion/exclusion in a retention policy. To meet business requirements where they may be thousands of site collections but not all require the same retention policy, this is very limiting limit.

    91 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
  11. enable tls 1.3 support

    please enable tls 1.3 support.
    This will improve rtt times and improve privacy.

    84 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    working on it  ·  1 comment  ·  Privacy  ·  Flag idea as inappropriate…  ·  Admin →
  12. Keyword Query Limit needs Increase

    A keyword limit of 20 terms has recently been instituted in the Compliance Center eDiscovery searches. This limit is far too low and should be returned to an unlimited number of keywords (or at least a much higher limit like 100 keywords). This is negatively impacting the ability to do more complex searches in the Compliance Center.

    69 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    6 comments  ·  eDiscovery  ·  Flag idea as inappropriate…  ·  Admin →
  13. Provide a mechanism which allows a programatic way to download exports in Compliance Center

    Provide a mechanism to programmatically download the eDiscovery exports in Azure back to on-premise. Powershell cmdlets or command line parameters to existing eDiscovery download tool would suffice.

    58 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  eDiscovery  ·  Flag idea as inappropriate…  ·  Admin →
  14. Disable TLS 1.0

    At some point to maintain PCI compliance we will need to disable TLS 1.0. I have been told more than one time that we cannot disable TLS 1.0 now on our hybrid Exchange 2016 on-premise servers without losing functionality. We need a patch or update that would allow us to disable TLS 1.0 and still have full Exchange functionality.

    41 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →

    While it is likely that Office 365 will need to leave TLS 1.0 enabled broadly for the near future, we are rolling out TLS 1.2 by default which will allow us to publish updated guidance for Exchange on-premises. Please stay tuned to EHLO blog for further updates — several configuration changes will be necessary to ensure everything works smoothly.

  15. Improve classification of "internal senders" in malware scanning

    I like that I can enable "Notify administrator about undelivered messages from internal senders" in the malware policy.

    I don't like that the malware detection engine has no idea if a sender is actually internal. It does simple domain-matching, which means that if someone is sending out malware and spoofing the sender address to pretend that it's from us, then I get notifications for days. Can't it at least do an SPF check?

    35 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    6 comments  ·  Malware  ·  Flag idea as inappropriate…  ·  Admin →
  16. Allow use of TLS 1.1 and higher

    It would be nice to be able to remove TLS 1.0 from our current environments and be able to use our online services such as Skype for Business. Currently, we are unable to connect back to Skype after disabling TLS 1.0 in our environment. Is there a timeline for these changes?

    14 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    working on it  ·  1 comment  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. Automatically apply the default Sensitivity Label to documents in SharePoint Library or OneDrive

    We should have a feature where we can apply a default "Sensitivity Label" to all documents in a SharePoint Site Library or OneDrive irrespective of content. e,g, classify all documents in a SharePoint Library as "INTERNAL" irrespective of Content.

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    working on it  ·  0 comments  ·  Information Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base