Feedback by UserVoice

Office 365 Security & Compliance

We have partnered with UserVoice, a third-party service and your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy. Please do not send any novel or patentable ideas, copyrighted materials, samples or demos for which you do not want to grant a license to Microsoft.

Welcome to the Security (Protection) & Compliance UserVoice forum. We’re happy you’re here! If you have suggestions or ideas on how to improve Security or Compliance related features in O365, we’d love to hear them!

How it works
◾Check out the ideas others have suggested and vote on your favorites
◾If you have a suggestion that’s not listed yet, submit your own — 25 words or less, please
◾Include one suggestion per post

Thanks for joining our community and helping improve these features in Office 365!

Need Tech Support? Please see the O365 Community for the product or feature you are having issues with, or open a support ticket through your Office 365 administrator portal.

How can we improve compliance or protect your users better in Office 365?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Better management tools for ATP Safe Attachments

    There is no way to manage emails that are currently undergoing an attachment scan in ATP. If that service goes down or experiences performance issues, there should be a way to administratively release these attachments.

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. In change password page please provide some guidance text on success or fail

    In Office365 Change password page please add some guidance text when the operation of changing password was performed with success or with fail. It only have some guidance while typing the password (from javascript on client side) but there is now guidance after you slick Submit button. After submtit the page looks the same as first time you enter the page. I do not know if the change was performed with success and then to use the new password, or the change was failed and I should still use the old password.

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. If Sending to multiple recipients, it would be nice of the tool tip still appeared at the top of the message.

    ATP Anti phising policy puts a neat Mailtip on top of the message for one recipient - if to many, it puts in the footer in plain text, right after our disclaimer. That is pretty worthless.

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  4. 1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow you to change the name of a rule after Preservation Lock

    Simply allow users to change the name of a rule setup after the preservation lock is setup. The purpose of Preservation Lock is to block you from making the rules less restrictive. Not to stop you from renaming the rule which is inconsequential.

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  eDiscovery  ·  Flag idea as inappropriate…  ·  Admin →
  6. outbound malware report: dont count NDRs in this report

    outbound malware report triggers panic.

    NDRs of malware emails are showing up in the outbound malware report.

    NDRs probably shouldn't include the virus payload or else such NDRs shouldn't be shown in the outbound malware report.

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  7. provide a way to check retention tag status from user's mailbox via admin portal and via power shell for retention reporting and monitoring

    When corporate user mailboxes are assigned retention policies, administrator should have ways to know if user's folder have personal tag or not, to understand how user protect their data.And a power shell command for checking retention tag on specific folder would be necessary.

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Compliance Manager  ·  Flag idea as inappropriate…  ·  Admin →
  8. Provide the option to decrypt emails on the client only

    In the Snowden incident, the government forced Lavabit to provide them with their SSL keys, in order to decrypt their traffic.

    For some clients in financing and government, this risk might not be acceptable.

    Therefore, it should be possible to have an additional encryption layer on top of SSL, where email are transferred to the client in an encrypted state an can only be decrypted by the client.

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. Dangerous behaviour of SPAM Whitelist

    If there are multiple senders in smtp-header, the spam whitelist is checking each of this senders, and if one is included, then the message is whitelisted. Sounds good.

    I have some pishing eMails received, that are whitelisted, because the faked Sender is in my whitelist.

    MAIL FROM: <wicked@spam.com>
    From: Display Name <good@wellknown.com> <wicked@spam.com>
    (no sender field)

    so, if i have <good@wellknown.com> in my whitelist, the mail would not be checked as spam. The mail however is sent from wicked@spam.com>. It would be displayed as
    Display Name <good@wellknown.com> in Outlook.

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  10. test

    現状、Outlook on the web サービス以外の Microsoft Office 365 サービスを使用する場合、Skype for Business のプレゼンス情報が Office 365 のナビゲーション バーに表示されませんが、
    今後 Office 365 のすべてのサービスでプレゼンスが正しく表示させるか、すべてのサービスでプレゼンスを非表示にすることができるようにしたいです。

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. ATP scanning document dimension limit

    Extend O365 ATP limit for SharePoint online document. Current O365 ATP support 25MB document in scanning with SharePoint Online

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  12. Add ability to block Apple Watches as mobile devices to prevent downloads of email

    As of now, a user could have an authorized mobile device (company iphone or BYOD), for which him/her can get access to email. These devices have encryption and PIN policies via Office 365. These devices are registered and allowed via Office 365. If a user connects an APple Watch to their iphone, they can download email and attachments to it, the device is NOT encrypted nor PINed with policies and NOT authorized. Yet it is being allowed. Security risk.

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. Address zero width spaces used in URLs - safelinks phishing

    This article highlights weaknesses in Microsoft safelinks https://thehackernews.com/2019/01/phishing-zero-width-spaces.html
    which also states microsoft addressed on 9 January 2019.

    However, testing on 11 Jan, we were able to use zero width spaces within a URL. It appeared that the URL was still being checked by safelinks as it goes to https://apac01.safelinks.protection.outlook.com/?url=https: ... " but when html source code was viewed it showed that safelinks data verification failed; and the user was directed to the modified URL which originally had zero width spaces included.

    Can Microsoft please checks this.

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  14. Simplify secure email transport for senders and recipients

    Use Case: Outbound email shall transmit securely with TLS as the preference method of delivery, if TLS is unavailable then automatically send as a secure envelope.

    Goal is to securely deliver the email with as much transparency to the recipient as possible. TLS first and then if that fails, secure envelope.

    Provide this capability by allowing the use of "key words" in the email subject to flag the system to transmit in this way.

    Email is transmitted securely and the recipient does not have to manage passwords or act on a one-time password.

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  DLP & Transport Rules  ·  Flag idea as inappropriate…  ·  Admin →
  15. ediscovery

    the ediscovery doesn't pull up the right search results for all emails between a time interval with specific recipients and senders

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  eDiscovery  ·  Flag idea as inappropriate…  ·  Admin →
  16. Add guidance for mac users on how to encrypt for InTune compliance

    Add guidance (or link to Apple guidance) for users who are prompted to encrypt their mac to comply with InTune device management. Currently users are told to encrypt then linked to a page with no information on how to do this.

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  17. Viewing attachment filename

    We have Transport rules setup in order to trap any attachments. We then get Notifications forwarded by the recipient, then we check within Exchange Admin Centre, the Quarantine page and when we find the email, we can click on the 'Preview Email Message' and we can see the filename of the attachment. We use this feature just to view the filename - not the contents - just the filename and it's extension, so we can analyze quickly it's potential risk.This feature is now missing in the new Quarantine Page within the 'Security & Compliance Centre' Can this feature be enabled…

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  DLP & Transport Rules  ·  Flag idea as inappropriate…  ·  Admin →
  18. Provide adequate controls to prevent the mixing of work and personal accounts in Office 365

    At the moment staff can create new profiles or add to existing profiles personal accounts from Hotmail, outlook, live domains. This can be prevented but only by a registry change that then requires further changes to allow support staff to resolve problems on an ad-hoc basis.

    Proper functionality to control who can create/edit profiles and from what domains in the administration GUI would be appreciated from pretty much any regulated business.

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. content search to add Number of Recipients is not greater than X number of Recipients

    content search to add Number of Recipients is not greater than X number of Recipients field for teams searches

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  eDiscovery  ·  Flag idea as inappropriate…  ·  Admin →
  20. man in the middle

    Ladies and Gentlemen!

    Our IT security specialists have found out that the login data is transferred in plain text when logging on to Office 365. This enables very simple "Man in the middle" attacks. I found a post in Technet about this topic, which is two years old.
    This should be checked and fixed urgently.
    Link to original post: https://blogs.technet.microsoft.com/latam/2016/12/09/o365sectalken/
    Thank you very much!

    1 vote
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base