Feedback by UserVoice

Office 365 Security & Compliance

We have partnered with UserVoice, a third-party service and your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy. Please do not send any novel or patentable ideas, copyrighted materials, samples or demos for which you do not want to grant a license to Microsoft.

Welcome to the Security (Protection) & Compliance UserVoice forum. We’re happy you’re here! If you have suggestions or ideas on how to improve Security or Compliance related features in O365, we’d love to hear them!

How it works
◾Check out the ideas others have suggested and vote on your favorites
◾If you have a suggestion that’s not listed yet, submit your own — 25 words or less, please
◾Include one suggestion per post

Thanks for joining our community and helping improve these features in Office 365!

Need Tech Support? Please see the O365 Community for the product or feature you are having issues with, or open a support ticket through your Office 365 administrator portal.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. 3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  2. Line breaks in headers allow spam to evade rules

    Our organization had a rule to cause e-mail from @anything.onmicrosoft.com except our organization to be marked as spam since these addresses were being used to get a high trust rating. We set up the rule properly (as verified by the tech who handled the ticket on this) but found that spam evaded it by putting line breaks in the headers, such as:

    From: Autoreply

     &lt;<a rel="nofollow noreferrer" href="mailto:fake@fake.onmicrosoft.com">fake@fake.onmicrosoft.com</a>&gt;
    

    Return-Path:

     <a rel="nofollow noreferrer" href="mailto:fake@fake.onmicrosoft.com">fake@fake.onmicrosoft.com</a>
    

    We were able to work around this by changing the rule to look at the Message-ID header instead, but Office 365 should update the rule engine to…

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  3. file tipe

    En la retención de OneDrive poder buscar por tipo de archivo no solo por palabras claves

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Compliance Manager  ·  Flag idea as inappropriate…  ·  Admin →
  4. Outlook Configuration Pushed from O365

    One example may be Configure Trust center settings through a client policy / GPO alike function. It would add tremendous value and could help the organizations that doesn’t have AD or have less experience managing ther ow AD.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. Report for Top Recipents in a specific mailbox

    A report that shows me the top recipents (from) of specifc mailboxes.

    We already have a report that show what mailbox receives/sends more messages, but I can't get more details and see how sends more messages to that specific mailbox.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Reports  ·  Flag idea as inappropriate…  ·  Admin →
  6. No SharePoint UI notification when attempting to delete a site under a retention policy

    When attempting to delete a SharePoint site that is currently under a Retention Policy to keep it. There is no notification in the UI that informs the user that the site cannot be deleted, or that its part of a retention policy. (Modern Experience) Attempts to delete a site via PowerShell result in an error message, but the SP UI moves on as though the site were deleted.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
  7. Automatic sending audit logs to one of admin email by time(weekly).

    Due to it have retention policy to delete old logs, so i need to keep it somewhere.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  8. Log-in permitted only by "Office365 ID"

    A lots of malicious attempt to log-in to email address occurs every day.
    The malicious hacker (or robot) can try to log-in into an email account using as per the userID the email address (e.g. john.smith@microsoft.com) and then try to find right password (brute force or similar attempt).

    In order to improve security about log-in, the most important thing is enable multi factor authentication of course, but in my opinion other very important feature, it has to permit log-in into email account with a "Office365 ID" (known only by John Smith and choiced by John Smith during Sign-up steps)…

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. One Drive for Business - Allow guest access to a folder

    You can currently share a file with a person external to your organisation without them having to sign in to One Drive with a Microsoft account first, by unchecking the 'require sign-in' checkbox. However, the 'require sign-in' checkbox is not available when you try to share a folder in this way. Please can this feature be added to One Drive for Business.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. Enable SharePoint site tags for granular conditional access in MCAS session policies

    The SharePoint site tags for granular conditional access (preview) are really helpful, e.g. to direct a session to a SPO site with highly sensitive information to MCAS to apply session controls. However, it would be most helpful, if MCAS could use the tags in the session controls as well, so they'd apply to only sites with the specific tag (e.g. Level1). This way we could easily automate access restrictions and controls for sites which are tagged for sensitive content and allow less restrictive access for all other sites.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. conditional

    As Office 365 E3 subscribers we are facing continual and increased threats daily from people trying to hack into user accounts. We've implemented lots of security inside our corporate network such as email and web filtering and made use of SSO/Modern authentication to make things as secure vs. seamless for our staff as much as possible.

    Next for us is 2FA. However with a highly secure corporate network we would only want to enforce 2FA for devices accessing 365 accounts outside of it. Azure Active Directory P1 is far too high a cost for us to justify just to get…

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Add dark. night or high contrast mode

    Please add dark. night or high contrast mode ASAP before we all go blind. Exchange Admin Center too, please.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. Increase ATP SafeLinks character Limit

    ATP SafeLinks can be used to block malicious or other undesirable URLs and domains using a blocklist. The Security & Compliance portal puts a limit of 128 characters on links that can be blocked. We would like this limit to be lifted or increased, as we are seeing multiple instances of malicious links that are not blocked by ATP, and cannot be added manually.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  14. delete app passwords for compromised accounts

    In Case of compromised accounts i would automatically remove existing app password by powershell (not only killing existing session). The Admin GUI allows it but it is not sufficient for a automated workflow.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. ATP Safe Links should not show the user the link when blocking

    Currently when a URL is blocked by Safe Links, the blocking screen shows a partial URL. A user can double-click that (to select all the text) and get the full URL and paste it into the browser, bypassing Safe Links completely. Give Admins the option to not let the user see the full URL that is being blocked, so they don't get clever and go around it this way.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  16. Enable filtering of IPv6 addresses

    The bad guys know that Exchange Online email Admins cannot filter IPv6 addresses in the Threat Management/Spam Policy settings. IPv6 is gaining widespread adoption as a superior, more robust transmission protocol but we Admins are unable to block incoming emails transmitted from published blacklisted IPv6 servers. This is a significant security flaw. Microsoft needs to enable filtering on IPv6.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  17. .

    .

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  18. Attack Simulator - Ability to terminate any running attack

    Currently attack simulator doesn't have good UI functionality to terminate running attacks. Here is my scenario:

    I was using the Password Spray feature of attack simulator and trying to simulate a password spray across a large number of users. When I clicked finish to launch the attack I received an error message and it left me in the launch attack wizard UI. Assuming the error message meant the attack hadn't been launched, I tried changing the number of users and trying again a number of times, still receiving an error each time. After that I went back to the attackdetails…

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  19. Prevent users from login to azure portal

    The Office365 user should not be able to login on the azure portal by default.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Advanced Security Management  ·  Flag idea as inappropriate…  ·  Admin →
  20. ATP not blocking basic 'use once' dynamic phishing attacks

    We are seeing more and more incidents of use once dynamic phishing attacks. These always originate from a *.host site and always use java script to exfiltrate data and then display a logon back that looks a lot like a genuine Office 365 logon box. Upon logging in the user's creds are used to log onto Office 365 via SMTP/IMAP and then send out hundreds of emails.

    Why is ATP unable to pick these up. These have been doing the rounds for months now...

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base