How to Anonymize User Data in Microsoft 365 Usage Reports

The Fuss About Microsoft 365 Productivity Score

Last week, I wrote about the criticism leveled at the Microsoft 365 Productivity Score feature. Leaving the hysteria aside, the biggest point missed in the criticism is that the usage data presented in the new feature has existed and been accessible to organizations for a very long time. Aside from the usage reports available in the Microsoft 365 admin center (originally based on the reporting service, which goes back to 2015), Microsoft made the Power BI analytics pack for Office 365 available in 2017 to allow tenants to do more deep-dive analysis of the data.

The standard usage reports and the Power BI app both use Graph data as their consistent source of knowledge. Most ISV reporting applications do the same, with the difference being that ISVs typically extract and process the Graph data before storing it in their own repositories to keep it longer than the 180 days allowed by Microsoft. It was therefore curious that no one has protested the acquisition, storage, and reporting of usage data over the last five years.

Anonymizing User Data in Reports

Moving on, if organizations wish to protect the privacy of usage data, they can anonymize the data by replacing user, group, and site names in reports by selecting an option in the Reports section under Org settings in the Microsoft 365 admin center (Figure 1).

After the option is selected, all views of usage data have group, user, and site names replaced with system generated values (Figure 2).

For SharePoint site usage, the site URL and site owner are obscured (Figure 3).

Obscurity for Any Graph-Based Application

The protection extends to applications which make Graph API calls to fetch usage data. For instance, the extract below shows a user’s Teams usage data for 90 days returned by the Microsoft Teams user activity reports API.

Report Refresh Date        : 2020-12-02
User Principal Name        : FE7CC8C15246EDCCA289C9A4022762F7
Last Activity Date         : 2020-12-02
Is Deleted                 : False
Deleted Date               :
Assigned Products          : POWER BI (FREE)+OFFICE 365 E5 WITHOUT AUDIO
                             CONFERENCING+ENTERPRISE MOBILITY + SECURITY E5+BUSINESS APPS
                             (FREE)+MICROSOFT POWER AUTOMATE FREE
Team Chat Message Count    : 64
Private Chat Message Count : 233
Call Count                 : 14
Meeting Count              : 93
Has Other Action           : No
Report Period              : 90

Anonymizing user data like this makes reports less useful because it’s all but impossible to apply context to the data. We can tell that some users are more active than others, but who are the active users and why are they more active than others? Do they use Teams more than email or do they still like email? Is Yammer in use? Are we seeing growth in cloud-based document storage? Do we see more traction in some parts of the company than others.

Anonymizing data also creates some coding challenges. For instance, because user principal names are returned, my User Activity Report script can’t fetch sign in information from Azure AD, which means that another piece of the usage puzzle is missing (Figure 4).

Anonymizing Usage Data Wisely

Obscuring usage data is a good thing to do as a default. It stops people casually browsing information that they might not need or should not see. But if you want accurate data that can be interpreted and used for planning purposes, to improve the effectiveness of your investment in Office 365, or to track down unused licenses that you shouldn’t be paying for, a global administrator can switch the setting back to permit reports to include full information for a limited period. After you’re finished extracting and reporting the data, you can restore anonymity to user data.

---

Learn much more about reporting Office 365 activity in the Office 365 for IT Pros eBook.