Feedback by UserVoice

Office 365 Security & Compliance

We have partnered with UserVoice, a third-party service and your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy. Please do not send any novel or patentable ideas, copyrighted materials, samples or demos for which you do not want to grant a license to Microsoft.

Welcome to the Security (Protection) & Compliance UserVoice forum. We’re happy you’re here! If you have suggestions or ideas on how to improve Security or Compliance related features in O365, we’d love to hear them!

How it works
◾Check out the ideas others have suggested and vote on your favorites
◾If you have a suggestion that’s not listed yet, submit your own — 25 words or less, please
◾Include one suggestion per post

Thanks for joining our community and helping improve these features in Office 365!

Need Tech Support? Please see the O365 Community for the product or feature you are having issues with, or open a support ticket through your Office 365 administrator portal.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Block logins from other countries

    It would improve security if we can restrict O365 logins to a specific geographic region. Or exclude specific countries if we identify major hacking attempts from those countries.

    3,245 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    179 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. Change Exchange Online recipient limit

    Need to change Exchange online Recipient Limits. The default value is 500 and can't be modified.
    In this case, users are able to send bulk\Spam messages by selecting entire global address list.

    1,414 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    108 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  3. Implement Sender Rewriting Scheme (SRS) to Resolve Forwarding Issues

    Forwarding in SMTP is fundamentally flawed unless you implement SRS.

    http://www.openspf.org/SRS

    If you maintain the Return-Path of the originating message while forwarding you effectively spoof the originating domain.

    If you modify the Return-Path to be the address of the account that forwarded a message you break the Return-Path chain and delivery issues will result in the forwarded message Delivery Status Notification (DSN) being delivered to the forwarding user and not the original sender.

    SRS resolves this by modifying the Return-Path in a way that doesn't spoof the originating domain but still allows DSNs to be sent to the original sender.

    639 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    34 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

    Added to the roadmap (https://products.office.com/en-us/business/office-365-roadmap) for tracking. As mentioned earlier, we’re also looking very seriously at Authenticated Received Chain, which is in draft, but has good momentum for adoption. We hope to report back soon on that as well.

    If you’re interested in signing your tenant up early to help us test this out, be sure to give us your email address so you can receive an invitation when we’re ready!

  4. Allow Partners to access the Security and Compliance Center

    Please grant Partners the ability to access the Security and Compliance Center through the Partner Admin portal.

    570 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    27 comments  ·  Flag idea as inappropriate…  ·  Admin →
  5. Phishing attacks using Office 365 compromised Accounts/ ATP safe links not working

    Hello Microsoft ATP Team,

    This is to bring to your notice that spammers/phishers have started targeting Office 365 Tenants which creates a mail loop between Office 365 hosted domains and these emails are getting circulated through which accounts gets compromised. We had a lot of incidences happening in our environment, As these emails are getting generated from the actual account hosted in Office 365 the email are considered to be safe and lands in users Inbox. We have ATP safe links policy in place however its not performing the job as expected. ATP is a great feature but we request…

    567 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    25 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

    ATP does not consider mails from other Office 365 tenants, or even mailboxes inside of your tenant, as safe. The best way to put a stop to this is to follow the recommendations in SecureScore for your tenant; and report phishing mails to us promptly. Also, make sure that the sender is not allowed either by the tenant configuration or the user safelist.

  6. End User Spam Notifacation - Frequency

    Currently we can only have 1 email sent per day notifying the user they have spam in quarantine.

    The email is usually sent just after midnight so if the user does not check their quarantine it could be a full 24 hours until the use is notified that they have spam to release.

    Could I suggest that at least 3 times per day this email can be sent?

    Cheers

    557 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    62 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback. We have a clarifying question that would help us to prioritize this better: If you need notices 3 (or more) times per day, why use quarantine at all? Why not send the mails to a junk folder which the user can check on demand? If you want a notice each time any message gets quarantined, again, what prevents just sending the mails to a junk folder instead?

  7. Improve message tracing in Exchange online

    We have had a lot of issues with spam, whether its cryptovirus emails getting through, or good emails getting improperly blocked. Because of this, we need good message tracing (to find the emails), which we do not feel we have with exchange online. We would like to make the following suggestions:

    1. Need to be able to trace further than 7 days back without a 4 hour wait per trace. Our previous message tracing system could go back the entire year nearly instantly, but we need at least 30 days without the 4 hour wait per trace. This was pitched…

    470 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    19 comments  ·  Message Trace  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for taking the time to submit this feedback. Since there are multiple pieces and layers of feedback in this single post, it makes it more difficult than many to address. First, let us share a little about what we’ve been doing. Since this post was made, we have prioritized performance and reliability improvements for both Message Trace (inside 7 days) and Historical Search (typically outside of 7 days). We’ve added details to Message Trace that weren’t there before, decreasing the need to run Historical Searches inside of 7 days. For Historical Search, we have improved the results to be more clear for those who are not familiar with the Exchange Message Tracking log format. Additionally, while we get the total value of Message Trace, we’ve also prioritized reducing the constant need to search & destroy. We’ve made tremendous strides in effectiveness, even as the bad guys got more…

  8. allow quarantined emails to be deleted from the quarantine list for clarity

    ability to delete emails in the quarantined queue that were reviewed and are irrelevant . this will make it easier to check the queue over time instead of waiting for the messages to expire.

    458 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    31 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  9. OneDrive for Business unable to perform delete folder directly caused by Retention Policy

    Dear Microsoft,

    OneDrive for Business is one of the useful tools for cloud storage whereby end user should be able to folders (even got files inside) easily even being applied with retention policy.

    Retention policy is suppose used on backend which not suppose to affect on OneDrive for Business usage. We are have 500 users getting impact on this. (and i assume all users having this issue as Microsoft support tested having this issue - "behaviour")

    I was informed by Microsoft that this is by default preservation policy design behaviour, which I think this is not consider design behavior anymore…

    456 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    33 comments  ·  eDiscovery  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow Settings for Message Expiration Timeout Interval and NDR

    For some error codes related to sending mails, the senders may receive the NDR immediately. However, for some other error codes, the mail server marks the undeliverable messages as a temporary error and the senders doesn't immediately receive an NDR. Instead, Exchange Online repeatedly tries to deliver the message over two days. Only after two days of unsuccessful delivery attempts does the sender receive this NDR.

    For some time critical businesses this is not acceptable. The user has to be informed very quickly (<6 hours) that his Mail was not delivered by now. Then the user can phone the recipient…

    447 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    48 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. Make sure that Exchange Online mailboxes are enabled for auditing

    The big problem with mailbox auditing – for both Exchange on-premises and Exchange Online – is that you must enable it for mailboxes to start recording audit events. If you do not enable auditing for a mailbox, Exchange assumes that you don’t care about what’s going on and captures nothing. When the time comes to search the Office 365 audit log, you get a big fat blank. Microsoft should either enable all EXO mailboxes for auditing or allow tenants to update mailbox plans to ensure that new mailboxes are enabled upon creation.

    408 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    in the plans  ·  19 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  12. Office 365 mail queue viewer and control

    It will be better if Admins get the option to view the mail queue in Office 365. We will have more control on the email flow if this option is enabled.

    385 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    26 comments  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback.

    Today you can see messages which are “pending” in a queue through Message Trace feature. In the Mail flow Dashboard, you can see messages queued for more than an hour. We’ve also created alerting for this condition. Can you tell us what other things you need and what the scenarios look like / how commonly you need to perform the task?

    This would help us when evaluating this item further.

  13. Active Directory AccountExpires attribute does not stop login to Office 365

    We discovered a security flaw in Office 365 whereby if you set an account in Active Directory to expired, the user can still login to Office 365.

    We believe this is a major security flaw as many customers will believe if the user can no longer log in to the Active Directory domain then they must also not be able to login to Office 365, however this is not the case.

    Setting an account with an expiry date should stop the account from logging into Office 365 as well.

    384 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    19 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add ability to deny EWS and MAPI clients using Basic Authentication, with Client Access Rules for Exchange Online

    Currently, MFA for Azure AD / O365 is useless regarding protection of mailboxes in Exchange Online, as EWS and MAPI clients can still connect to mailboxes using Basic Authentication, even with Conditional Access rules in place to require MFA, and there's no way of denying this server-side on EXO.

    The newly-released Client Access Rules feature promises this functionality in its documentation (see https://technet.microsoft.com/library/mt842508.aspx and https://technet.microsoft.com/en-us/library/dn913650(v=exchg.160).aspx), but unfortunately the functionality is crippled. You can only make rules in the following combinations (info from EXO Engineering team):

    OutlookWebApp: BasicAuthentication, AdfsAuthentication
    ExchangeAdminCenter: BasicAuthentication, AdfsAuthentication
    RemotePowerShell: BasicAuthentication, NonBasicAuthentication
    ExchangeActiveSync: BasicAuthentication, OAuthAuthentication, CertificateBasedAuthentication
    IMAP4/POP3/OfflineAddressBook/PowerShellWebServices/ExchangeWebServices/REST:…

    384 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    11 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for taking the time to provide this feedback. We’ve updated the TechNet documentation (https://technet.microsoft.com/library/mt842508(v=exchg.150).aspx) to clear up confusion around which authentication type and protocol combinations are supported in CARs. Expanding support for more combinations could prevent bad actors with valid credentials from accessing mailbox content, but it wouldn’t help with scenarios like password spray attacks or malicious lockout attempts because CARs are evaluated post-authentication. There’s work underway on a solution that covers a broader array of basic authentication scenarios – we’ll share more details as soon as possible. In the interim, this blogpost (https://cloudblogs.microsoft.com/enterprisemobility/2018/03/05/azure-ad-and-adfs-best-practices-defending-against-password-spray-attacks/) outlines the recommended approach for forcing multi-factor authentication when using AAD and ADFS.

  15. Allow DLP rule exception for encrypted outbounds

    DLP rules do not allow an exception of the predicate "MessageTypeMatches" with the notify sender action. Doing so results in the error:
    One of the conditions you specified can't be used for rules where you want to notify the sender. Error details: The NotifySender action isn't compatible with 'MessageTypeMatches' predicate.
    I would like to trigger a rule on outbound matches unless the message is encrypted in order to enforce our internal policy compliance.

    379 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    16 comments  ·  DLP & Transport Rules  ·  Flag idea as inappropriate…  ·  Admin →
  16. Suspicious Login Reports and Alerts

    Microsoft needs to include FREE reporting and alerts to paying office 365 subscribers. Apparently the azure reports that would be useful to office 365 subscribers require a paid subscription (according to the 2 tickets I put in with azure support)
    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-view-access-usage-reports.

    The office 365 audit log is a mess and doesn't give a clear picture of all suspicious activity for all users at a glance, e.g. logins from multiple geographies.

    Ideally, admins would be able to get alerts based on suspicious activity. We've had several users accounts get hacked and we've had no idea. People were logging in from…

    346 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    23 comments  ·  Reports  ·  Flag idea as inappropriate…  ·  Admin →
  17. DLP needs to be able to read OCR

    At the present time DLP is not able to read OCR documents, namely documents scanned to PDF. This is a GIANT, GAPING hole in terms of security. I have clients who have 100's of thousands of documents that contain sensitive information saved in OneDrive but no DLP policies can be applied to these documents, since DLP is not OCR aware. Please correct ASAP! Thanks!

    342 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    8 comments  ·  DLP & Transport Rules  ·  Flag idea as inappropriate…  ·  Admin →
  18. Re-enable the Exchange Online Activities API (Magic Unicorn)

    Please re-enable the Exchange Online Activities API that allows for forensic investigation of Business E-mail Compromise incidents.

    Business E-mail Compromise is a very serious and active threat for all organizations. By default, Office 365 provides very little auditing capability to investigate this type of incident. Exchange Online mailbox auditing must be proactively enabled by the customer before the breach if they wish to get this level of auditing data.

    On June 18, 2018 it was publicly discovered that Microsoft does maintain this audit data even without the customer enabling it. It was available to all Office 365 customers via this…

    289 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  19. Enable Transport Rule action for Distribution Group

    In Exchange Online or EOP, We cannot create a transport rule with the action set to Distribution Group.

    It errors as follows :

    The transport rule can't be created because group@domain.com, the recipient to be added by a rule action, is a distribution group. Transport rules can't add distribution groups to messages. To resolve this error, remove this recipient and specify a different one.

    Since there are workarounds to resolve, Can this be fixed directly without any error.

    276 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    13 comments  ·  DLP & Transport Rules  ·  Flag idea as inappropriate…  ·  Admin →
  20. Audit license assignement by subscription / Product

    We should be able to see with subscription / product was assigned or removed to an office 365 Account. In the Actual audit log, there is only few information that is not relevant at all! We must be able to know who and when a specific office 365 workload is assign to a User, example (office 365 pro plus, or Skype for business)

    265 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    11 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 95 96
  • Don't see your idea?

Feedback and Knowledge Base