Feedback by UserVoice

Office 365 Security & Compliance

We have partnered with UserVoice, a third-party service and your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy. Please do not send any novel or patentable ideas, copyrighted materials, samples or demos for which you do not want to grant a license to Microsoft.

Welcome to the Security (Protection) & Compliance UserVoice forum. We’re happy you’re here! If you have suggestions or ideas on how to improve Security or Compliance related features in O365, we’d love to hear them!

How it works
◾Check out the ideas others have suggested and vote on your favorites
◾If you have a suggestion that’s not listed yet, submit your own — 25 words or less, please
◾Include one suggestion per post

Thanks for joining our community and helping improve these features in Office 365!

Need Tech Support? Please see the O365 Community for the product or feature you are having issues with, or open a support ticket through your Office 365 administrator portal.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Make sure that Exchange Online mailboxes are enabled for auditing

    The big problem with mailbox auditing – for both Exchange on-premises and Exchange Online – is that you must enable it for mailboxes to start recording audit events. If you do not enable auditing for a mailbox, Exchange assumes that you don’t care about what’s going on and captures nothing. When the time comes to search the Office 365 audit log, you get a big fat blank. Microsoft should either enable all EXO mailboxes for auditing or allow tenants to update mailbox plans to ensure that new mailboxes are enabled upon creation.

    408 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    in the plans  ·  19 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  2. Re-enable the Exchange Online Activities API (Magic Unicorn)

    Please re-enable the Exchange Online Activities API that allows for forensic investigation of Business E-mail Compromise incidents.

    Business E-mail Compromise is a very serious and active threat for all organizations. By default, Office 365 provides very little auditing capability to investigate this type of incident. Exchange Online mailbox auditing must be proactively enabled by the customer before the breach if they wish to get this level of auditing data.

    On June 18, 2018 it was publicly discovered that Microsoft does maintain this audit data even without the customer enabling it. It was available to all Office 365 customers via this…

    289 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  3. Audit license assignement by subscription / Product

    We should be able to see with subscription / product was assigned or removed to an office 365 Account. In the Actual audit log, there is only few information that is not relevant at all! We must be able to know who and when a specific office 365 workload is assign to a User, example (office 365 pro plus, or Skype for business)

    265 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    11 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  4. MessageBind

    The action of when a message was viewed in the preview pane or opened by the owner of the mailbox is not logged by mailbox audit logging.
    Please have the "MessageBind" action logged for the owner.

    179 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    15 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow Exchange Admin Auditing retention to be increased past 90 days

    The commands Set-AdminAuditLogConfig -AdminAuditLogAgeLimit do not work on 365. We have a requirement to keep all admin logs for 3 years but this cannot be performed.

    176 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    14 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →

    At this point, the Office 365 service only allows for the retention of audit entries for 90 days. Can you provide us more information regarding your requirement to keep logs for 3 years. Is this a legal obligation? Please provide details around the specific audit entries you would like to retain for an extended period of time.

  6. Mailbox Auditing enabled by default

    We would like to have mailbox auditing enabled by default for all mailboxes in Office 365. We should not have to manually enable for new users as they are added (via PS). Can we not have a way of enabling this for all mailboxes on the tenant?

    146 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    5 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  7. Allow us to extract the unified audit logs more than 90 days ago

    Allow us to extract the unified audit logs more than 90 days ago

    I think that many large enterprises have this desire in security policy.

    109 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  8. Extend the Audit Log to hold records for longer than ninety days

    The Audit Log's functionality in Office 365 is excellent but the logs are only held for ninety days rolling.

    Due to this we are having to look at third party solutions to export the logs automatically, but this would be much easier if you extended the logging period out to a much longer period - years would be better than months.

    88 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    7 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow the ability to delete a retention label definition in S&C Center if 'Record' classification

    If you've created a retention label in the Security & Compliance Center and have checked the 'Use label to classify content as a "Record"' checkbox, I would like the ability to delete the label under certain circumstances. If I've never used it, it's not published in any policy, I should be able to delete it. I've set up several "test" labels with this checkbox checked and there is no way (either thru the UI or thru PowerShell) to delete the label definition. Example: if you create a retention label and select the 'record' checkbox, save it and then immediately try…

    79 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow us to create alerts for sign in Failures and Successes based off of IP Geo Location. Alerts if log in success outside of country.

    I would like to Create and alert if there are failed login attempts or successful login attempts from IP addresses originating outside of my City/State/Country.

    Allow us to either white list IP addresses and alert for any not on the white list. Blacklist IP addresses and alert based off of just black list. Select Country regions and alert if selected countries IP addresses are the originating IP. Allow us to alert for only failures, only successes, or both.

    78 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    5 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  11. Add search for failed login attempts to Audit Log Search

    Right now the audit log search allows for searching user sign-ins but not failed login attempts. This can be accessed by exporting the events but having that feature available in the search would make it more convenient to get an at-a-glance view of failed attempts and the IP addresses that are attempting to get access. This is not to say I don't trust Microsoft's ability to detect suspicious logins; it's more for our own situational awareness of where *********** attempts are coming from.

    77 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  12. Audit Log Functionality for New Inbox / Forwarding Rule / Mass Failed Logins

    As a support provider I've seen an influx of fraudulent access cases. I would like to see an audit log option (and alert) for Inbox and Forwarding Rules as well as for Mass Failed Logins.
    I know that for E5 and Advanced Security Management subscribers they can create something for failed logins but with this becoming more common place I think the people would appreciate this functionality.

    68 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow journaling into Office 365 mailbox

    Either sell a separate Journaling license if it is more expensive to keep journal on Office 365 and price the license according to data amounts like $10 per 100GB/month. Or have an option to put Litigation hold on all mail traffic going through the tenancy. Currently only mailboxes with licenses assigned can have litigation hold so getting those licenses for all shared mailboxes would help a little but would be very costly as shared mailboxes will not need the office or any other licensed features. Even when licensing all shared and user mailboxes, that would not keep the mail that…

    66 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  14. granular audit logging

    We are a hospital and we need granularity on if an account got breached the timestamp of when the email was last previewed/read/deleted or moved.

    50 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  15. Delegate Audit Log access by Activity Type

    Please add the ability to delegate read-access to audit logs by Activity type. For example, access to just "Power BI activities" audit logs, or "Microsoft Teams activities" audit logs.

    This would be useful as different groups within IT manage the usage of different O365 services, yet they have to be given access to all or nothing.

    42 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  16. Fix enabling the Audit Log via Audit log search

    Fix enabling the Audit Log via Audit log search so that the PowerShell cmdlet "Enable-OrganizationCustomization" does not need manually run (used to happen automatically) and a two hour wait is not needed after that before the Audit log can be turned on (used to happen in the same step and take no more than 5-10 minutes total).

    The error is below and doesn't get much more verbose and unfriendly:

    Request: /api/adminauditlogconfig/EnableUnifiedAuditLogIngestion Status code: 500 Exception message: {"Message":"The command you tried to run isn\u0027t currently allowed in your organization. To run this command, you first need to run the command: Enable-OrganizationCustomization.","DiagnosticContext":"{Version:16.00.2956.005,Environment:NCUPROD,DeploymentId:18d19f7d03b848d7a3f3fb735faaefc6,InstanceId:WebRole_IN_2,SID:55fd38f7-f62b-427c-91d7-12d7a11ba643,CID:ad8a7cc4-e1fa-4914-8503-ea4b0f76ba2c}","Time":"2019-03-25T19:02:33.2250755Z","ExceptionType":"Microsoft.Exchange.Configuration.Tasks.InvalidOperationInDehydratedContextException","ExceptionData":{"Source":"AdminAuditLogConfig"}}…

    42 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  17. New-InboxRule cmdlet needs CreationDate added

    When an account compromise happens, the majority of times the threat actor will create a new-inboxrule to hide their activity. Currently when new-inboxrules are created there is no logging for the Creation Date via powershell cmdlet. If we could get this logged, it would help tremendously with account compromises. Also adding a historical rule creation view for past 90 days would be beneficial as well.

    38 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  18. Activity „Download attachment via Outlook Online“ must be logged

    Hi team,

    unfortunately it‘s not logged in the Activity Log, when a user is downloading an attachment via Outlook Online. IMHO this is an absolut must, that this activity is logged, because it‘s very easy for users to get data out of Office 365 without been controlled.

    Please integrate this missing activity as fast as possible.

    Kind regards,
    Daniel

    37 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow SharePoint Auditing Alerts to be configured for an individual site or site collection.

    This is a big compliance gap for us at the moment. When giving site owners full ownership of their site we are unable to provide them with alerts on permission changes or file access/download. This is available to them with our file share compliance tool and is limiting the adoption of SharePoint.

    37 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  20. external user Reports

    Please provide detailed auditing of which files have been accessed by external users.

    36 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 9 10
  • Don't see your idea?

Feedback and Knowledge Base