Customizing Privacy Controls for Microsoft Graph Insights with the Graph Explorer

Posted on by Tony Redmond

The Graph is Grown Up and Needs New Controls

On August 4, Microsoft posted a blog called “Introducing new privacy controls with the Microsoft Graph” (later echoed in Office 365 Notification MC219941 dated August 6). The related Microsoft 365 roadmap item is 66462. Reading the blog post, you might be excused for not understanding the full context of the content. I needed to read it several times before comprehending what Microsoft announced in some fairly obtuse text. In a nutshell, they said:

  • Office Graph was introduced in 2014 to gather signals about user activity in Office 365 applications.
  • Delve was the first application to surface the results of those signals.
  • Users can disable the Office Graph in Delve settings (Figure 1). This has the effect that they don’t see insights about their document activity any longer.
  • The Office Graph has evolved to become the Microsoft Graph. More signals than ever before are gathered in the Graph and it’s appropriate to introduce new controls over the data used to derive insights such as the set of documents or sites available to a user which might be interesting to them.
  • The new controls are in the organization settings section of the Microsoft Graph schema. The controls can disable insights for the entire tenant (organization) or for the members of a Microsoft 365 or security group.
  • For the remainder of 2020, when evaluating if a user has access to insights, Microsoft will enforce the stricter of the Delve and organization controls. From 2021 on, the Delve controls will only be used in Delve and the rest of Office 365 will use the organization controls.
  • Microsoft will introduce per-user control over insights in the future. This control will replace the Delve setting.
Delve feature settings
Figure 1: Delve feature settings

Manipulating Graph Settings

You can’t argue against the logic that it’s best to move controls over Graph-derived insights away from a specific application into organization settings. My experience is that relatively few people use Delve today, possibly because the implementation of Microsoft Search across the Microsoft 365 suite has improved over the last few years. If this is true, then people probably don’t realize that control over insights is currently exerted through Delve.

While liking the idea of extra controls, the issue for tenant administrators might be how to implement the new settings. No GUI exists in the Microsoft 365 admin center and no PowerShell cmdlet is available.

Update: See below for where to apply updates using the Microsoft 365 admin center.

Instead, you must patch the Graph settings as described in this article. That’s just fine if you know how to patch the Graph and obviously not if you haven’t acquired that skill.

Graph Explorer Solves the Problem

The Graph Explorer is a utility built by Microsoft to demonstrate how to interact with the Graph. You can execute test commands or, after signing into your tenant, run the commands against real data. The Graph Explorer can therefore be used to update organization settings, just like you can use it to customize the Office 365 profile card.

First, you need to know your tenant identifier. This is easily found by running the Get-AzureADTenantDetail cmdlet (from the Azure AD module), where the value is returned as the ObjectId:

Get-AzureADTenantDetail

ObjectId                             DisplayName          VerifiedDomain
--------                             -----------          --------------
b662313f-14fc-43a2-9a7a-d2e27f4f3476 Office 365 IT Pros   Office365ITPros.com

With the tenant identifier, you can construct the URI needed to update the settings. For example, taking the value returned by Get-AzureADTenantDetail, the URI is:

https://graph.microsoft.com/beta/organization/b662313f-14fc-43a2-9a7a-d2e27f4f3476/settings/itemInsights

We need to populate the request body with the update we want to apply. To restrict insights for members of a selected group, the request body is something like shown below. The value passed is the object identifier of a Microsoft 365 or security group.

{
  "disabledForGroup": "c9758609-d33b-4eea-976b-d8e43a2ad135"
}

The easiest way to get the object identifier for a Microsoft 365 group is to run the Get-UnifiedGroup or Get-AzureADGroup cmdlets. For example:

Get-UnifiedGroup -Identity DisabledInsightsGroup | Select ExternalDirectoryObjectId

ExternalDirectoryObjectId
-------------------------
c9758609-d33b-4eea-976b-d8e43a2ad135

Get-AzureaADGroup -SearchString DisabledGraphInsights | Select ObjectId
                                           
ObjectId                             
--------                             
c9758609-d33b-4eea-976b-d8e43a2ad135

If you pass an incorrect identifier, no users will be restricted.

Equipped with the URI and the request body, you can now update the settings using the Graph Explorer. As shown in Figure 2, you select PATCH as the command type, beta as the endpoint, input the URI and the request body, and then click Run query. You can see that a 200 (OK) response is returned and the response shows that the disabledForGroup setting holds the group object identifier.

Patching the organization settings with the Graph Explorer
Figure 2: Patching the organization settings with the Graph Explorer

The updated setting can take up to eight hours to be effective across all Microsoft 365 applications.

Exploring the Effect of No Insights

Normally, the Microsoft 365 profile card includes a section about recent documents a user has worked on that are accessible to the person viewing the card. Figure 3 shows the profile card as displayed by OWA and we can see three files listed on the card with the opportunity to see more.

The Office 365 profile card with document insights
Figure 3: The Microsoft 365 Profile Card with document insights

If we disable insights for the user or the complete organization, document insights don’t appear on the profile card (Figure 4). In this instance, the user hasn’t disabled document insights in Delve, but because Office 365 applies the stricter of the organization and Delve settings, the removal of the insights is dictated by the organization settings.

The Office 365 Profile Card without document insights
Figure 4: The Microsoft 365 Profile Card without document insights

Administrators Don’t Do Graph

Recently, Microsoft has started to push out Microsoft 365 tenant settings that can only be manipulated using Graph calls. I think the folks who create these updates miss the point that most administrators are not Graph API literate, simply because this is not a tool they use in their daily work. It’s good that the Graph Explorer exists and can act as a workaround.

It would be better for all if Microsoft created either the GUI in the admin center or a PowerShell cmdlet to control new tenant settings. It would then be easier for tenants to embrace new functionality and Microsoft would see a higher uptake for their work.

Update: Settings for Meeting Insights and Item Insights are now customizable through the Search & Intelligence section of the Microsoft 365 admin center.

This might seem like an arcane subject, but it’s important for Office 365 tenant administrators to understand the tools at their disposal and what those tools can do. We explain how in the Office 365 for IT Pros eBook. Subscribe today!

3 Replies to “Customizing Privacy Controls for Microsoft Graph Insights with the Graph Explorer”

  1. So I’ve disabled this in the Search and Intelligence centre and confirmed in the Graph that “isEnabledInOrganization”: false is showing yet after 48 hours, my users can still see active information within SharePoint on document activity on both Followed Sites and Suggested Sites. All this setting has done for me is disabled the Frequent Sites. Is there a way to clear out collected data or to disable the tracking of documents with this?

    Reply

    1. I think you’re at the mercy of background processes which need to run to update stuff across the service. Typically, the SLA for this kind of thing is one week. If it persists longer, you might want to file a support incident. Things can take their time in the cloud…

      Reply
  2. Pingback: Microsoft Replaces Office Graph Controls with Microsoft Graph Privacy Controls

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.