Feedback by UserVoice

Office 365 Security & Compliance

We have partnered with UserVoice, a third-party service and your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy. Please do not send any novel or patentable ideas, copyrighted materials, samples or demos for which you do not want to grant a license to Microsoft.

Welcome to the Security (Protection) & Compliance UserVoice forum. We’re happy you’re here! If you have suggestions or ideas on how to improve Security or Compliance related features in O365, we’d love to hear them!

How it works
◾Check out the ideas others have suggested and vote on your favorites
◾If you have a suggestion that’s not listed yet, submit your own — 25 words or less, please
◾Include one suggestion per post

Thanks for joining our community and helping improve these features in Office 365!

Need Tech Support? Please see the O365 Community for the product or feature you are having issues with, or open a support ticket through your Office 365 administrator portal.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. If Sending to multiple recipients, it would be nice of the tool tip still appeared at the top of the message.

    ATP Anti phising policy puts a neat Mailtip on top of the message for one recipient - if to many, it puts in the footer in plain text, right after our disclaimer. That is pretty worthless.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  2. Set user as 'not junk' from quarantine page

    Currently when emails go into Quarantine (after falling into the 'prevented phishing messages' category), I cannot release these directly from the summary email. Instead users have to follow the link to the quarantine section of, which allows them to release the message from quarantine, but doesn't give any useful option to add them to the whitelist/not-junk list.

    Could this be added please?

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. Have option in SSPR to always request Security Cognitive questions method regardless of other methods selected

    We need to be able to validate something we know and something we have to reset password. Not sure why MFA is not possible to have with Security questions at step 1 or 2 during the method validation without having a Phone configured as well . We dont use phone numbers to reset password and MFA and force to do it for SSPR or Security quesitons are never asked if you also have MFA. Why this limitation of controls . Let shave the ability to ask Sec questions all the time like all other SaaS ?

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Audit event is generated in Azure Information Protection manually tagged one way but should be automatically tagged another

    At present using Office 365 labelling to automatically label an email or file will only work if the user has not tagged it. If the user tags the file manually but automatic classification should tag it as another, the manual process overrules.

    There is no audit event generated for this, so a user could attach credit card numbers into a document, classify it as public and send it out. There would be no event generated which said it contains credit card numbers, only that it was classified as public.

    It should either:
    a) Override the manual tagging and classify it…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow you to change the name of a rule after Preservation Lock

    Simply allow users to change the name of a rule setup after the preservation lock is setup. The purpose of Preservation Lock is to block you from making the rules less restrictive. Not to stop you from renaming the rule which is inconsequential.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  eDiscovery  ·  Flag idea as inappropriate…  ·  Admin →
  6. Pop up message as an action in the Mail flow rule

    Under mail flow in exchange, there should be a way to provide pop up message for senders who are sending emails to external domains without classifying the email

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Information Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. outbound malware report: dont count NDRs in this report

    outbound malware report triggers panic.

    NDRs of malware emails are showing up in the outbound malware report.

    NDRs probably shouldn't include the virus payload or else such NDRs shouldn't be shown in the outbound malware report.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. Is archiving required in order to turn on deletion in O365 email?

    Can I simply turn on auto deletion without using archiving?

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Compliance Manager  ·  Flag idea as inappropriate…  ·  Admin →
  9. Fix wording and styling on verification/authentication/app-password pages

    On this page: https://portal.office.com/account/

    there is an option labeled as follows: "Update your phone numbers used for account security."

    This label is very poorly written.

    Our organization has chosen to emphasize use of the authenticator app rather than using phone numbers and inevitably users who are struggling to set things up are bemused (at best) or irate (at worst) when we tell them to click on "update your phone numbers" in order to set up the authenticator app.

    The link text should be written in such a way that it makes sense for people depending on phone numbers and for…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  10. Specify the applied entity in the "Activity Map" on the Cloud App Security dashboard

    "Activity" on the world map might indicate "activities" as defined in the other reports on the dashboard about user activity. However it seems that the applied entity in the "Activity map" is defined as "active users with any number of activities (including any number of logins) during the specified time interval".
    A clarification about the definition and applied entity on the "Activity map" as well as in the documentation would be helpful and appreciated.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Reports  ·  Flag idea as inappropriate…  ·  Admin →
  11. Provide the option to decrypt emails on the client only

    In the Snowden incident, the government forced Lavabit to provide them with their SSL keys, in order to decrypt their traffic.

    For some clients in financing and government, this risk might not be acceptable.

    Therefore, it should be possible to have an additional encryption layer on top of SSL, where email are transferred to the client in an encrypted state an can only be decrypted by the client.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. Dangerous behaviour of SPAM Whitelist

    If there are multiple senders in smtp-header, the spam whitelist is checking each of this senders, and if one is included, then the message is whitelisted. Sounds good.

    I have some pishing eMails received, that are whitelisted, because the faked Sender is in my whitelist.

    MAIL FROM: <wicked@spam.com>
    From: Display Name <good@wellknown.com> <wicked@spam.com>
    (no sender field)

    so, if i have <good@wellknown.com> in my whitelist, the mail would not be checked as spam. The mail however is sent from wicked@spam.com>. It would be displayed as
    Display Name <good@wellknown.com> in Outlook.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  13. Suggest White Sites

    Currently I am getting group messages from within our organization blocked. This is forcing me to go into the website each time to allow them. I'd like a feature which would say for future emails, this sender is OK to deliver.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  14. Reporting Phishing email/URL with Admin submission

    Admin submission is always completed as Verdict "not junk". however the emails are 100% Phish.

    either, you check the emails carefully? or add option like, Block similar emails and URLS.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  15. test

    現状、Outlook on the web サービス以外の Microsoft Office 365 サービスを使用する場合、Skype for Business のプレゼンス情報が Office 365 のナビゲーション バーに表示されませんが、
    今後 Office 365 のすべてのサービスでプレゼンスが正しく表示させるか、すべてのサービスでプレゼンスを非表示にすることができるようにしたいです。

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  16. ATP scanning document dimension limit

    Extend O365 ATP limit for SharePoint online document. Current O365 ATP support 25MB document in scanning with SharePoint Online

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  17. Hacking

    Yes my EX husband has signed all my emails up to different things.I only use my email for work.Everytime I create a new email he gets into it and changes number and security info and PW.I created 5 in 24hrs the thing is he denies it he’s also doing identity theft impersonating people to try scam me on gumtree he’s made himself administer to my acc and has managed to get into my brand new iPhone new Apple ID emails ect.I have my phone locked away in a safe all the time and on Aeroplane mode.Livibg under same roof until…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  18. Add ability to block Apple Watches as mobile devices to prevent downloads of email

    As of now, a user could have an authorized mobile device (company iphone or BYOD), for which him/her can get access to email. These devices have encryption and PIN policies via Office 365. These devices are registered and allowed via Office 365. If a user connects an APple Watch to their iphone, they can download email and attachments to it, the device is NOT encrypted nor PINed with policies and NOT authorized. Yet it is being allowed. Security risk.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  19. nothing

    nothing

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. Release Spam notification to user immediately

    We are a financial organisation.
    Transactions are time based. Cannot afford to miss emails.

    The spam notification to users is sent once a day.
    Hence, by the time user receives notification that a message has been quarantined, the action time is breached.

    This can lead to regulatory penalties, litigation, loss of business and brand impact.

    The spam notification should be sent to user as soon as the message is quarantined.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base