ITDR (MDR for Microsoft 365)

As an MSP Account Admin, I have the rights to respond to alerts with full functionality. My clients are Organizational Admins, and they get all the alerts but cannot act on them and they find this rightly frustrating. We've heard from Huntress that you have intended to either expand on those rights OR allow us to create Account Admin rights that can be limited to single organizations or sets of end points. Do you intend to make these changes, ever, and if so- when?

It would be great if there were a true two-way sync of incident statuses

I need the ability to set a start date for location rules in advance. This feature would be beneficial for situations like when a senior lawyer is going on a cruise, and I have the stopover dates. I want to add these dates proactively rather than scheduling them manually later, which can be risky.

I realize this would be tricky to implement because of the numberous different ways organizations can implement conditional access policies to block unwanted countries. However, with the introduction of the feature to track unwanted access by countries in Huntress ITDR we've now been doing double duty having to track and enter scheduled exlusions in both Huntress and Entra ID (we utilize the open source CIPP to schedule these exclusions). It would be great if Huntress would integrate with Entra ID so that the scheduled/timed exclusion that we're creating in Huntress to mark that country as allowed would have the ability to link to a conditional access policy that it can update on the start/end dates of the scheduled travel as well. Due to everyone potentially having different conditional access policies - the easiest way I can invision this being implemented is simply pulling a list of the Conditional Access policies from the tenant when scheduling the exclusion and requesting which policy should be used for this particular exclusion. Then Huntress can add the user to that conditional access policy for the exclusion when the scheduled travel starts and then remove them when the scheduled travel ends. This is coincidentally the same way CIPP handles these exclusions. This allows this functionality to work for anyone who has individual conditional access policies for each country, one single conditional access policy for all countries, or anywhere inbetween.

It would be nice to be able to view all applied rules in an organization or MSP level to see what has been put out there. A way to audit what the technicians are doing and ensuring that only what is needed is actually in place without having to click on each individual user. Even further an option to export this into report form in order to present to the client and ensure again, only what is needed is there. Ex: Applied Rules User Email Rule Summary? Date Applied(start of rule) Date End(end of rule) etc.?

Please add functionality to map multiple Microsoft 365 tenants into a single Huntress organization. We have clients that are acquiring competitors. We need to be able to feed M365 MDR data into Huntress while billing our clients under the parent organization.

We have certain accounts that are used by contractors around the globe. We do not want Huntress to keep notifying us of unexpected logins, and I don't want to have to spend my time creating and maintaining rules for all the countries that are allowed. We want to allow logins from any country except those that are high-risk or sanctioned, like North Korea, Russia, Iran, etc. If we do have a contractor working in one of these countries, then we'd also like the option to create an exception for that specific country while disallowing all the other risky countries.

Currently, we’re accurately representing the data we get from MS, but the visual could be better. This is the ability for us to more accurately display MFA status for identities.

Have a Critical incident generated in the event the Emergency Break Glass/ Allocated User is accessed. per Microsoft recommendations https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access

Hey Huntress team. Hope this helps with roadmap planning. Identity attacks keep getting more sophisticated, and I think there are some features that could make Huntress even more powerful for our day-to-day operations. Here are a few ideas around deeper identity risk insights, better remediation guidance, and unified threat correlation that would help everyone respond faster. Deep Configuration Intelligence: Scan for complex identity misconfigurations beyond standard checks, including misaligned cross-tenant access settings, risky OAuth app permissions, and overprovisioned service principals with prioritized severity ratings. Enhanced Remediation Guidance: Provide tenant-specific, prioritized remediation steps with guided or automated fixes. For example, when detecting risky SharePoint external sharing paired with weak guest access policies, offer specific configuration adjustments tailored to that environment. Cross-Domain Threat Correlation: Link identity-based threats (like suspicious Entra ID logins) with endpoint activities (such as malware detections) to map complete attack chains. This would provide a unified incident view showing the full scope of an attack for faster, more effective response. Zero Trust Maturity Dashboard: A progress tracking system that measures ongoing Zero Trust framework alignment, with specific metrics around identity security posture and measurable improvement over time. Thank you for taking the time to consider these suggestions. While I realize some of these ideas may have been recommended before, I wanted to share them just in case they haven’t been fully explored yet. I believe they could bring meaningful improvements and help make Huntress even more effective. I appreciate all the hard work your team puts into the platform.