Feedback by UserVoice

Office 365 Security & Compliance

We have partnered with UserVoice, a third-party service and your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy. Please do not send any novel or patentable ideas, copyrighted materials, samples or demos for which you do not want to grant a license to Microsoft.

Welcome to the Security (Protection) & Compliance UserVoice forum. We’re happy you’re here! If you have suggestions or ideas on how to improve Security or Compliance related features in O365, we’d love to hear them!

How it works
◾Check out the ideas others have suggested and vote on your favorites
◾If you have a suggestion that’s not listed yet, submit your own — 25 words or less, please
◾Include one suggestion per post

Thanks for joining our community and helping improve these features in Office 365!

Need Tech Support? Please see the O365 Community for the product or feature you are having issues with, or open a support ticket through your Office 365 administrator portal.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Log protocol rejections in Exchange Audit Log

    Azure AD logs the protocol authentication as successful and there is no protocol rejection logged in Exchange. This makes it very hard to prove the system was NOT accessed from an investigation perspective. This should be addressed my Microsoft ASAP. From a Security perspective, there is value in knowing about connections which are denied to a system as this could indicate an attack.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  2. Security Reports

    Please enable better format for reports. PP, PDF etc. Something with graphics. CSV format not good for quick summary overview.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Reports  ·  Flag idea as inappropriate…  ·  Admin →
  3. Need discrete XML files for domains and ip addresses that can and cannot traverse a proxy solution

    Please create 3 discrete XML Feeds for the following categories of traffic to enable easier consumption of data required to configure the customer's environment relative to proxying traffic for Office 365 workloads:

    • All FQDN/CIDR paired and CIDR prefix only destinations - Bypass your proxy for all FQDN/CIDR paired and CIDR prefix only destinations;
    • Inspection, authentication, reputation lookup services for any FQDNs marked required without a CIDR prefix - Bypass your proxy or remove inspection, authentication, reputation lookup services for any FQDNs marked required without a CIDR prefix;
    • Everything Else - For any remaining optional FQDNs, wildcards, DNS,…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Need APIs to handle Labels in protection.office.com

    Is there any APIs to manage Labels in Security and Compliance portal / Office 365 for Sharepoint online, Exchange online and Onedrive online ? If exists, please give the details for the same.

    If not, will the same operations available through Powershell ? And please provide the details, if exists.

    FYI: The link below is similar to my requirement:

    https://stackoverflow.com/questions/48391178/api-or-mechanism-to-apply-scc-labels-to-exol-mailbox-items-and-folders

    This is an urgent requirement, so needing the confirmation from your side ASAP.

    0 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  5. MalwareFilterPolicy: BypassOutboundMessages

    The parameter BypassOutboundMessages should also work in Exchange Online.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow search for all activity by IP

    I would like to search the entire activity log by a specific IP address.

    0 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  7. Email Certificate of Destruction

    There is the capability to enable mailbox auditing, which also provides a audit log if a user, or an Exchange admin hard deletes a message. However, this audit log does not capture hard deletes when initiated from a retention policy. I would think this is a critical piece of information any compliance and regulatory department would need in the case of defensibility in a legal situation.

    0 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  8. Alert Policy for "Unusual Volume of file deletion" should ignore when Retention Policy expires

    Alert Policy for "Unusual Volume of file deletion" should ignore when Retention Policy expires
    We have a 3 year retention policy.
    During that 3 years, people delete things, but they really don't delete until the end of the 3 year retention policy.
    So every day, we get the "Unusual Volume of file deletion" event, but it's really just the 3 year-old files that are getting deleted due to retention policy timing out the deleted files.
    Can you exclude these types of deletions because clearly the intent of the rule is to alert of sudden deletions, not the ones that happened…

    0 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. We have implanted DLP policies and straight away we have had a huge number of false positives specifically associated with the "France Natio

    We have implanted DLP policies and straight away we have had a huge number of false positives specifically associated with the "France National ID Card (CNI)" rule. Looking at the information on this page: https://docs.microsoft.com/en-us/office365/securitycompliance/what-the-sensitive-information-types-look-for#france-national-id-card-cni The rule suggests a very simplistic 12 digit number and no keywords. This is, in our opinion, far too simplistic a check and the rule must have associated keywords to give the rule some form of validity and confidence. We have had to remove this specific check from our policies, which defeats the whole purpose of DLP!

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  DLP & Transport Rules  ·  Flag idea as inappropriate…  ·  Admin →
  10. The same portal with all alerts (MCAS, S&C, ATP...)

    We have a lot of pages for the alerts. Why haven't a new portal for all alerts? Or better, if i close one alert in one page why not synchronices automatically? We don't like have a lot of pages in the browser (MCAS, Sec. & Com., Win ATP, Azure IPC, etc...). All pages have the same alerts and our customers don't closes the alerts because they have a lot of duplicate work closing the same alert in 2/3 pages.

    For example, Microsoft offers Single Sing On (SSO), this feature is perfect because we have: 1 mail = multiple apps with…

    0 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. The same portal with all alerts (MCAS, S&C, ATP...)

    We have a lot of pages for the alerts. Why haven't a new portal for all alerts? Or better, if i close one alert in one page why not synchronices automatically? We don't like have a lot of pages in the browser (MCAS, Sec. & Com., Win ATP, Azure IPC, etc...). All pages have the same alerts and our customers don't closes the alerts because they have a lot of duplicate work closing the same alert in 2/3 pages.

    For example, Microsoft offers Single Sing On (SSO), this feature is perfect because we have: 1 mail = multiple apps with…

    0 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Attack simulator spear phishing template variables

    In the attack simulator to run a spear phishing attack, the template variables are only username and URL. Adding another variable for email address would be helpful in addition to these as email address is often the user ID for many accounts, so being able to display the email address in the template would further simulate true attacks.

    0 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. Refine the mechanism behind the anti-phishing policies.

    We are seeing an incredible amount of emails being filtered for email senders from domains which are only similar to what we have stipulated that we would like to protect.

    This needs to be refined. Similar email domains should not be filtered,

    For example, if within the policy, you specifically state that you want to protect germany.com and then you see hundreds of emails being filtered with a sender address of ababa@newgermany.com , it is not efficiently being acted upon.

    0 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  14. Add more data to safe links malicious url click

    With the arrival of AIR to Security and Compliance we have noticed that there is no correlating data for when a user clicks on a Malicious URL. For example, if someone were to run a Safe Link through VirusTotal or urlscan without first sanitizing through o365atp it would count as a click for the user. If we were able to see IP address etc. at time of click it would be more helpful in determining exposure vs. false positive.

    0 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
1 2 99 100 101 103 Next →
  • Don't see your idea?

Feedback and Knowledge Base