Feedback by UserVoice

Office 365 Security & Compliance

We have partnered with UserVoice, a third-party service and your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy. Please do not send any novel or patentable ideas, copyrighted materials, samples or demos for which you do not want to grant a license to Microsoft.

Welcome to the Security (Protection) & Compliance UserVoice forum. We’re happy you’re here! If you have suggestions or ideas on how to improve Security or Compliance related features in O365, we’d love to hear them!

How it works
◾Check out the ideas others have suggested and vote on your favorites
◾If you have a suggestion that’s not listed yet, submit your own — 25 words or less, please
◾Include one suggestion per post

Thanks for joining our community and helping improve these features in Office 365!

Need Tech Support? Please see the O365 Community for the product or feature you are having issues with, or open a support ticket through your Office 365 administrator portal.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Active Directory AccountExpires attribute does not stop login to Office 365

    We discovered a security flaw in Office 365 whereby if you set an account in Active Directory to expired, the user can still login to Office 365.

    We believe this is a major security flaw as many customers will believe if the user can no longer log in to the Active Directory domain then they must also not be able to login to Office 365, however this is not the case.

    Setting an account with an expiry date should stop the account from logging into Office 365 as well.

    384 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    19 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add ability to deny EWS and MAPI clients using Basic Authentication, with Client Access Rules for Exchange Online

    Currently, MFA for Azure AD / O365 is useless regarding protection of mailboxes in Exchange Online, as EWS and MAPI clients can still connect to mailboxes using Basic Authentication, even with Conditional Access rules in place to require MFA, and there's no way of denying this server-side on EXO.

    The newly-released Client Access Rules feature promises this functionality in its documentation (see https://technet.microsoft.com/library/mt842508.aspx and https://technet.microsoft.com/en-us/library/dn913650(v=exchg.160).aspx), but unfortunately the functionality is crippled. You can only make rules in the following combinations (info from EXO Engineering team):

    OutlookWebApp: BasicAuthentication, AdfsAuthentication
    ExchangeAdminCenter: BasicAuthentication, AdfsAuthentication
    RemotePowerShell: BasicAuthentication, NonBasicAuthentication
    ExchangeActiveSync: BasicAuthentication, OAuthAuthentication, CertificateBasedAuthentication
    IMAP4/POP3/OfflineAddressBook/PowerShellWebServices/ExchangeWebServices/REST:…

    384 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    11 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for taking the time to provide this feedback. We’ve updated the TechNet documentation (https://technet.microsoft.com/library/mt842508(v=exchg.150).aspx) to clear up confusion around which authentication type and protocol combinations are supported in CARs. Expanding support for more combinations could prevent bad actors with valid credentials from accessing mailbox content, but it wouldn’t help with scenarios like password spray attacks or malicious lockout attempts because CARs are evaluated post-authentication. There’s work underway on a solution that covers a broader array of basic authentication scenarios – we’ll share more details as soon as possible. In the interim, this blogpost (https://cloudblogs.microsoft.com/enterprisemobility/2018/03/05/azure-ad-and-adfs-best-practices-defending-against-password-spray-attacks/) outlines the recommended approach for forcing multi-factor authentication when using AAD and ADFS.

  3. Add a "Trust this Device" option to reduce frequency of multi-factor prompt

    Most multi-factor/ 2-factor authentication schemes allow the user to check a box when they login using the second factor of authentication to say "Trust this Device", meaning "Don't ask for the second-factor code again on this device (optionally: for X days)". [Google, LastPass, Yahoo, ...]

    Microsoft Office 365 does not have this, which makes good login security unnecessarily burdensome, as the user must have their second factor authentication device with them at all times and use it every time they login.

    Some users will refuse to use it at all, given the extra burden. Others will use it but be…

    185 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    5 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Disable download option at library in SharePoint

    At site permissions, by the permission levels option, I can't configure a level where the user just can read online the content of library and don't be able to download the content.That is to say, I can't disable or restrinct the download option even when:
    1. I assign a just read permission and/or
    2. I activate de IRM to the library. This option force to acquire a licensed and compatible software to read the PDF documments. Is not what our organization are looking for.

    This is a basic option that should be available, don't you think?

    180 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    6 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. Add 3rd party Authenticator support to Office 365 2-factor auth

    Please add support for 3rd party 2-factor authenticator apps like LastPass Authenticator or Google Authenticator by adding support for RFC 6238 "TOTP: Time-Based One-Time Password Algorithm".

    I don't want to fill my phone with vendor-specific authenticator apps.

    https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm

    172 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    13 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. Increase security for MFA App Passwords – ‘flaw in security’

    There are a few security issues with App Passwords while using MFA. The security around App Passwords needs to be strengthened.
    First, App Passwords of all Alpha lower case is not as secure as the current passwords policies our users are using. By enabling MFA, our clients and users are complaining about the strength of the App Password.
    Second, App Passwords that can be re-used are lessening the password security of user accounts. This allows users to copy/paste or write down the password to be used again and again.
    Suggestions.
    - Increase the complexity of the App Password (upper case,…

    147 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    6 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. Fix Advanced Threat Protection Attachment Scan When Email Is Auto-Forwarded

    Currently ATP fails to release an attachment (continually displays ATP Scan in Progress in place of actual attachment) when the email with the "stuck" attachment has been auto-forwarded by a user with an Out-of-Office rule in place within the same email domain. Strangely, the email attachment is scanned just fine from the auto-forwarding recipient and can be manually forwarded to any recipient, but if it's auto-forwarded, the attachment stays stuck in an never displays as available. This has been reported to MS Support who attempted a work-around (which failed) Office 365 Ticket #30126-5487056 .

    145 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    15 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. Enable geofencing in Office365

    Enabling geofencing will be a good option to prevent access from different parts of the world.

    133 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. Security & Compliance Center PowerShell - ADAL Support for MFA

    PowerShell for Security & Compliance Center Needs ADAL Support, as right now it uses the Exchange connector to the Basic auth endpoint. Exchange Online PowerShell has an ADAL client now, where's the one for Security & Compliance Center?

    123 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    6 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. EMS Suite Licensing should be free for Government Tenants

    Government IT shops are an entirely different beast than from your typical commercial customer.

    An IT shop can range in size from 2-3 staff for a small city or 100s or 1,000s for a large city/county/state. Regardless of size in terms of staff or budget, ALL of us have an identical regulatory responsibility.

    Protecting critical infrastructure and services our citizens depend on isn't an optional activity. Why are the necessary tools contained in the EMS licensing suites not made available to Government entities free of charge? These are critical tools which must be utilized in order to best protect the…

    120 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. Allow alteration to the global Azure AD Password Policy (complexity, length, etc)

    Force special characters in Azure AD password Policy

    I would like the ability to force more complex passwords without the need for a Dirsynced server. The default password policy for the global profile in Azure AD is not strong enough, and I would like some better options for length, complexity and special character requirements.

    109 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. FIDO U2F support

    Office 365 for work: We need Office 365 for Work support a FIDO Universal Second Factor (U2F) protocol standard Security Key.

    As many organisation would like to shift to Office 365 but they concern about the security standard which request Office 365 to support Universal Second Factor (U2F) protocol standard security key as Microsoft is a member of FIDO.

    101 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    8 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Conditional Access by Network Location

    Want to bring network location-based conditional access policy to not only SharePoint but also the whole of office365.

    97 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Advanced Threat Protection and Dynamic Delivery of emails

    With Dynamic Delivery, email is delivered with a provisional attachment that indicates that the original attachment is being scanned by ATP and will be delivered soon. If this email if forwarded before the original attachment is released by ATP, the recipient of the forwarded email will receive the provisional attachment and never see the original attachment once released to the first recipient.
    This is a problem for business where many executives on the move use mobile phones to routinely forward emails to team members for follow-up. We also have users who setup Outlook rule that forward emails to other users. …

    93 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. More Than 8-Character Minimum Password Requirement

    Allow for the current 8-character minimum requirement to be changed to something longer (i.e. – 10 or 12). Allowing for an 8-character minimum password length ensures mostly that.

    Changing character density from 8 to 10 characters increases offline resilience from less than a day to almost two (2) decades, and 12 characters to over a thousand centuries [ref: Gibson research Center’s ‘Haystack’ page - https://www.grc.com/haystack.htm ].

    Allowing administrators the option of lifting this minimum not only forces users to create potentially more secure passwords, but also allows them to use them longer without needing to change them… potentially until there…

    92 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. Provide the ability to edit the default protection alert(s) in powershell

    First off the help for new-protectionalert -examples should provide more information than "insert example commands for example 1"

    Secondly, it does not appear to be possible to edit the default protectionalerts that exist on a new tenant in powershell.

    Attempting to get and then set the recipient crashes the powershell as follows.

    get-protectionalert | ? {$_.operation -eq 'MailRedirect'} | set-protectionalert -notifyuser noc@nocdomain.com
    WARNING: An unexpected error has occurred and a Watson dump is being generated: There is no rule matching identity
    'f00ed340-8f84-4eb4-83f3-0075a22b262e\Creation of forwarding/redirect rule'.
    There is no rule matching identity 'f00ed340-8f84-4eb4-83f3-0075a22b262e\Creation of forwarding/redirect rule'.
    + CategoryInfo : NotSpecified: (:)…

    86 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    5 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow users to migrate their Microsoft accounts to Office 365

    When a firm establishes an Office 365 tenant, they should have the option to allow users to migrate their existing Microsoft Account identities to the company account. This should migrate their existing OneDrive and other consumer data to the corporate account as well as "merge" the identities so access given to other Office 365 tenants' SharePoint and other sites transfers over. Users could also opt not to migrate, in which case they should be required to "vacate" the company domain and migrate to an outlook.com or other consumer branded domain, much like the old Lync/OCS federation process that took place…

    70 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. Add support for CAA records in DNS panel

    I'd very much like to see support for CAA records in the future =).
    See https://support.dnsimple.com/articles/caa-record/

    The check for this record is going to be mandatory with September 2017. The security of all our certificates and domains would be greatly improved if we could set this record :)

    68 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. A bug when creating a Retention Policy for Skype for Business in the O365 Admin portal

    When creating the policy, the * means all, but it still forces you to select users to add to the retention policy.

    67 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. Ability to limit access to Online Archive by Client Location

    We'd like the ability to limit access for users to their O365 Online Archives by client location/IP.

    For example, if the user is connected to the corporate network, their online archive should be accessible through Outlook. If the user is away, working from home, etc, the online archive is not available/accessible.

    Whilst we have security measures in place (like MFA) for accounts if a user's credentials are stolen, the most common access would be via OWA from an external location/IP. By archiving (moving) old/sensitive email to the online archive, and restricting access by location, we could effectively limit the amount…

    62 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 14 15
  • Don't see your idea?

Feedback and Knowledge Base