We do cannot trace emails based on Subject , specially when we are dealing with SPAM emails that got delivered to almost all users

Message Trace do not include Attachment property and by only knowing attachment name you cannot find it. For example knowing a specific attachment has been leaked out from company but you cannot search it from the Trace.

Adding encryption ome v2 (encrypt-only) to outbound emails with sensitive data detection is easy enough. However when that email is opened by the recipient and replied to, the email comes in encrypted to the sender, who has to go thru the process to decrypt. There is an option in the EOP rule to "Remove Office 365 Message Encryption and right protection" however fails since the predicate must match "The sender is located?" "Inside the organization". This is no problem with ome v1 but is not working with ome v2. Need to add the capability to decrypt those messages automatically.

Right now the audit log search allows for searching user sign-ins but not failed login attempts. This can be accessed by exporting the events but having that feature available in the search would make it more convenient to get an at-a-glance view of failed attempts and the IP addresses that are attempting to get access. This is not to say I don't trust Microsoft's ability to detect suspicious logins; it's more for our own situational awareness of where *********** attempts are coming from.

Currently office365 has a messaging limit of 30 per minute. It would be idial to have this increased to maybe at least 50 per minute.

Office 365 admins should be able to go into the mail flow queue and delete or resend emails that show "stuck" (either pending for a long time) or duplicate emails.

Employee's send out emails with no subjects all the time, however I am unable to add a null/blank subject as a condition in content search.

I am also unable to content search or filter based off of message ID.

There is also no time option, only date, as a search condition.

This makes content searching for an email with no subject a huge pain.

Please add the ability to create content searches based off of blank/null subjects, sent time between X and Y, and based off of message ID in the mail headers as an option.

Currently users with the ediscovery role can run search for content and download that content. Using the New-ComplianceSearchAction -purge -softdelete you can delete this content (which we use for deleting spam or malware emails out of mailboxes). We do not want our security operations team to use powershell to complete these deletes so we have to write a gui to provide this functionality. Please enable the ability to complete deletes within the SCC itself

As a support provider I've seen an influx of fraudulent access cases. I would like to see an audit log option (and alert) for Inbox and Forwarding Rules as well as for Mass Failed Logins.
I know that for E5 and Advanced Security Management subscribers they can create something for failed logins but with this becoming more common place I think the people would appreciate this functionality.

Enable encryption to be a link in the body of the message instead of an attachment. Many filters block html attachments.

When creating the policy, the * means all, but it still forces you to select users to add to the retention policy.

Adding Preservation Policies for Sharepoint and OneDrive is to time consuming. There needs to be an easier option to preserve all users drives and SharePoint Sites.

The current wizard is 9 pages and you need to have the exact address of the users site to add each one. It would take months for me to add all of my users in this way.

Preservation policies for Mailboxes at least let you search and select all to add them, so it would take considerably less time to complete. That would be at least a modest improvement.

Fix ATP Threat Explorer Incident Reporting

We would like to use ATP Threat Explorer to mitigate phishing messages coming into our environment. The incident reporting does not build confidence in the tool. As an example I recently used it to hard delete 6 messages from our environment. The incident report did not give data for two full days. When it did, it reported status "Failed". However, looking at the report details, all six messages show hard delete status "Success", with no failures. Accurate and timely reporting of incident results will build confidence in the ATP Threat Explorer tool.

I would like to Create and alert if there are failed login attempts or successful login attempts from IP addresses originating outside of my City/State/Country.

Allow us to either white list IP addresses and alert for any not on the white list. Blacklist IP addresses and alert based off of just black list. Select Country regions and alert if selected countries IP addresses are the originating IP. Allow us to alert for only failures, only successes, or both.

The Audit Log's functionality in Office 365 is excellent but the logs are only held for ninety days rolling.

Due to this we are having to look at third party solutions to export the logs automatically, but this would be much easier if you extended the logging period out to a much longer period - years would be better than months.

I'd very much like to see support for CAA records in the future =).
See https://support.dnsimple.com/articles/caa-record/

The check for this record is going to be mandatory with September 2017. The security of all our certificates and domains would be greatly improved if we could set this record :)

Office 365 Message Encryption currently only provides the ability to specify one set of branding configurations (see https://technet.microsoft.com/en-us/library/dn569292.aspx). Large enterprises that have multiple entities need the ability to provide branding for each entity.

For example, if Contoso was comprised of entities Fabrikam, Northwind, and ADatum, each entity should be able to specify it's own branding for OME.