On August 4, Microsoft posted a blog called “Introducing new privacy controls with the Microsoft Graph” (later echoed in Office 365 Notification MC219941 dated August 6). The related Microsoft 365 roadmap item is 66462. Reading the blog post, you might be excused for not understanding the full context of the content. I needed to read it several times before comprehending what Microsoft announced in some fairly obtuse text. In a nutshell, they said:
Office Graph was introduced in 2014 to gather signals about user activity in Office 365 applications.
Delve was the first application to surface the results of those signals.
Users can disable the Office Graph in Delve settings (Figure 1). This has the effect that they don’t see insights about their document activity any longer.
The Office Graph has evolved to become the Microsoft Graph. More signals than ever before are gathered in the Graph and it’s appropriate to introduce new controls over the data used to derive insights such as the set of documents or sites available to a user which might be interesting to them.
The new controls are in the organization settings section of the Microsoft Graph schema. The controls can disable insights for the entire tenant (organization) or for the members of a Microsoft 365 or security group.
For the remainder of 2020, when evaluating if a user has access to insights, Microsoft will enforce the stricter of the Delve and organization controls. From 2021 on, the Delve controls will only be used in Delve and the rest of Office 365 will use the organization controls.
Microsoft will introduce per-user control over insights in the future. This control will replace the Delve setting.
Figure 1: Delve feature settings
Manipulating Graph Settings
You can’t argue against the logic that it’s best to move controls over Graph-derived insights away from a specific application into organization settings. My experience is that relatively few people use Delve today, possibly because the implementation of Microsoft Search across the Microsoft 365 suite has improved over the last few years. If this is true, then people probably don’t realize that control over insights is currently exerted through Delve.
While liking the idea of extra controls, the issue for tenant administrators might be how to implement the new settings. No GUI exists in the Microsoft 365 admin center and no PowerShell cmdlet is available.
Update: See below for where to apply updates using the Microsoft 365 admin center.
The Graph Explorer is a utility built by Microsoft to demonstrate how to interact with the Graph. You can execute test commands or, after signing into your tenant, run the commands against real data. The Graph Explorer can therefore be used to update organization settings, just like you can use it to customize the Office 365 profile card.
First, you need to know your tenant identifier. This is easily found by running the Get-AzureADTenantDetail cmdlet (from the Azure AD module), where the value is returned as the ObjectId:
With the tenant identifier, you can construct the URI needed to update the settings. For example, taking the value returned by Get-AzureADTenantDetail, the URI is:
We need to populate the request body with the update we want to apply. To restrict insights for members of a selected group, the request body is something like shown below. The value passed is the object identifier of a Microsoft 365 or security group.
If you pass an incorrect identifier, no users will be restricted.
Equipped with the URI and the request body, you can now update the settings using the Graph Explorer. As shown in Figure 2, you select PATCH as the command type, beta as the endpoint, input the URI and the request body, and then click Run query. You can see that a 200 (OK) response is returned and the response shows that the disabledForGroup setting holds the group object identifier.
Figure 2: Patching the organization settings with the Graph Explorer
The updated setting can take up to eight hours to be effective across all Microsoft 365 applications.
Exploring the Effect of No Insights
Normally, the Microsoft 365 profile card includes a section about recent documents a user has worked on that are accessible to the person viewing the card. Figure 3 shows the profile card as displayed by OWA and we can see three files listed on the card with the opportunity to see more.
Figure 3: The Microsoft 365 Profile Card with document insights
If we disable insights for the user or the complete organization, document insights don’t appear on the profile card (Figure 4). In this instance, the user hasn’t disabled document insights in Delve, but because Office 365 applies the stricter of the organization and Delve settings, the removal of the insights is dictated by the organization settings.
Figure 4: The Microsoft 365 Profile Card without document insights
Administrators Don’t Do Graph
Recently, Microsoft has started to push out Microsoft 365 tenant settings that can only be manipulated using Graph calls. I think the folks who create these updates miss the point that most administrators are not Graph API literate, simply because this is not a tool they use in their daily work. It’s good that the Graph Explorer exists and can act as a workaround.
It would be better for all if Microsoft created either the GUI in the admin center or a PowerShell cmdlet to control new tenant settings. It would then be easier for tenants to embrace new functionality and Microsoft would see a higher uptake for their work.
Update: Settings for Meeting Insights and Item Insights are now customizable through the Search & Intelligence section of the Microsoft 365 admin center.
This might seem like an arcane subject, but it’s important for Office 365 tenant administrators to understand the tools at their disposal and what those tools can do. We explain how in the Office 365 for IT Pros eBook. Subscribe today!
3 Replies to “Customizing Privacy Controls for Microsoft Graph Insights with the Graph Explorer”
So I’ve disabled this in the Search and Intelligence centre and confirmed in the Graph that “isEnabledInOrganization”: false is showing yet after 48 hours, my users can still see active information within SharePoint on document activity on both Followed Sites and Suggested Sites. All this setting has done for me is disabled the Frequent Sites. Is there a way to clear out collected data or to disable the tracking of documents with this?
I think you’re at the mercy of background processes which need to run to update stuff across the service. Typically, the SLA for this kind of thing is one week. If it persists longer, you might want to file a support incident. Things can take their time in the cloud…
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
So I’ve disabled this in the Search and Intelligence centre and confirmed in the Graph that “isEnabledInOrganization”: false is showing yet after 48 hours, my users can still see active information within SharePoint on document activity on both Followed Sites and Suggested Sites. All this setting has done for me is disabled the Frequent Sites. Is there a way to clear out collected data or to disable the tracking of documents with this?
I think you’re at the mercy of background processes which need to run to update stuff across the service. Typically, the SLA for this kind of thing is one week. If it persists longer, you might want to file a support incident. Things can take their time in the cloud…