Privacy changes to Microsoft 365 Usage Analytics
Published Aug 30 2021 09:00 AM 26.6K Views
Microsoft

At Microsoft, we’re committed to both data-driven insights and user privacy. As part of that commitment, we’re making a change to Microsoft 365 usage analytics on September 1st to pseudonymize user-level information by default. This change affects the following products and APIs, and will help companies support their local privacy laws: 

 

Global administrators can revert this change for their tenant and show identifiable user information if their organization’s privacy practices allow. This can be achieved in the Microsoft 365 admin center by going to Settings > Org Settings > Services and selecting Reports. Under Choose how to show user information, uncheck the statement In all reports, display de-identified names for users, groups, and sites, and then save your changes. Showing identifiable user information is a logged event in the Microsoft 365 compliance center audit log.  

 

When user identification is enabled, administrative roles and the report reader role will be able to see identifiable user level information. Global reader and Usage Summary Reports Reader roles will not have access to identifiable user information, regardless of the setting chosen. 

 

These changes to the product will bolster privacy for users while still enabling IT professionals to measure adoption trends, track license allocation and determine license renewal in Microsoft 365. 

 

Continue the conversation by joining us in the Microsoft 365 Tech Community! Whether you have product questions or just want to stay informed with the latest updates on new releases, tools, and blogs, Microsoft 365 Tech Community is your go-to resource to stay connected!

24 Comments
Copper Contributor

Bonjour,

Depuis que cette fonctionnalité a été activée, nous avons une série de chiffres et de lettres à la place des username.

Par contre, dans les paramètres de l'organisation > Rapports, l'option est bien cochée.

En décochant l'option "Show identifiable user information in reports", on retrouve bien les noms ou adresses mails dans les rapports.

Il y a soit un problème de traduction, soit un problème de fonctionnalité.

Merci d'avance

Copper Contributor

Hi,

 

was this information communicated in advance via some other location? Without such communication, applications dependent on the previous behavior and setting are suddenly broken, requiring customer to react.

 

Rob O

Copper Contributor

There is some way to decode the pseudonymize data? there are some graph endpoint to recover the user information?

Copper Contributor

@EmanuelVazquez 

Yes : 

Global administrators can revert this change for their tenant and view identifiable user information if their organization's privacy practices permit. 
This can be done in the Microsoft 365 admin center by going to Settings> Organization Settings> Services and selecting Reports.
Under Choose how to display user information, deselect Display identifiable user information in reports.
 
Copper Contributor

Is it possible to get the same kind of pseudonymization on other graph endpoints?

 

It would be great to be able to tie data to departments or countries (not necessarily individual users) by combining the data with https://graph.microsoft.com/v1.0/users.

Copper Contributor

Was this announced in the M365 or Azure Admin Message Center? There is also nothing about anonymizing usage data in the M365 Road Map, other than a reference to Teams usage anonymization in May 2021. Please share where this was announced or communicated prior to August 30th 2021 for a Sept. 1 2021 implementation. This change broke several reports in our environment that require user information to be in the report. We have reverted, but would have appreciated advanced communication. Thank you!

Microsoft

@downtownmtb-Allina @Robert Osborne Thank you for taking the time to share the impact this change has had. This change was announced via the Microsoft 365 public roadmap and message center in the Microsoft 365 Admin Center. The announcement was provided with 30 days notice in line with our standard notification procedures for this type of change.

 

@Axel Andersen I’m not aware of any further efforts regarding pseudonymization for other graph endpoints, we will provide your request to the Graph API team and ask them to reach out.

Copper Contributor

@James_Bell please can you share the relevant items?

I can only see roadmap feature ID 70774 last modified in June, which refers to admins "will have the option" to anonymise, not that it would be switched to on by default.

The Message Center does not have anything relevant against searches for "privacy", "anonymize", "anonymous".

 

Microsoft

Hi @Simon Gardner , it was contained in Message Center Post: MC275344 and Roadmap ID: 81959

 

Copper Contributor

You need to update the documentation of the affected methods to indicate that some fields will be anonymized.

 

Ex.  https://docs.microsoft.com/en-us/graph/api/reportroot-getemailactivityuserdetail?view=graph-rest-1.0

Microsoft

Hi @Grattle , thanks for letting me know. I'll work with our documentation team to have the content updated. 

Copper Contributor

Hi, I want to maintain pseudonymize option in the tenant, but I need to get a report from Graph, anybody knows if there are some way to "decrypt" these data on my side by coding? i'm using c#

Copper Contributor

Hi, If userPrincipalName and displayName is concealed, how can we know the data belongs to which user? For example, if we want active users report, we can only see the ID which serves no purpose in that report. I understand that we can disable this option, but my question is why do we had this option in the first place?

 

Is there a mapping for the concealed information and the actual information anywhere that only admins can view/fetch? If so, that would be useful.

Microsoft

@EmanuelVazquez we do not provide the ability to decrypt the information.  @Manikandan_N , we include the option to bolster privacy for users while still enabling IT professionals to measure adoption trends, track license allocation and determine license renewal in Microsoft 365.  There is no mapping between the settings.  The change described in the article is to modify the default setting to hide user level information from 'off' to 'on'. We did not modify the functionality of the product with this change, just the default setting which can be reverted using the method described above. 

 

 

Copper Contributor

Hi, shall we modify(enable/disable) this setting via powershell or graph api? Or any ways to know that this setting is enabled or not via powershell/api?

Copper Contributor

Hi, @James_Bell.

 

I have some questions about getSharePointSiteUsageDetail API. This report provide information about used storage, file count, last activity date and others. Maybe those properties can be received via either Graph API or SharePoint REST API?

 

For used storage i've already found SharePoint API endpoint:

GET http://<sitecollection>/<site>/_api/site/usage

 

Could you suggest some endpoint for file count and last activity date?

 

Thank you!

Copper Contributor

Dear @James_Bell ,

 

Kindly ask you to support us with an issue that we have faced with User Activity Reports, obtained via Graph API. We are using GetTeamsUserActivityDetail API (https://docs.microsoft.com/en-us/graph/api/reportroot-getteamsuseractivityuserdetail?view=graph-rest...).

 

Recently we have noticed that mapping is not working due to the format of data in the UserPrincipalDate being changed, starting from the 1st of September the data in this field was encoded. 

 

We've changed the configuration in the admin center and now data come in decoded format. We've also reprocessed API for the last 28 days, but can't reprocess the data for the previous period, starting from 1st of September till 5th of January due to API limitation. 

 

Can you please advise us on how to solve this issue with historical data, how we can obtain decoded data for the requested period, or maybe you can suggest to us an algorithm, how to decode the UserPrincipalName field?

 

Thank you beforehand!

Copper Contributor

Hi @James_Bell ,

Is it possible to revert this change (that is, to show identifiable user information) only for specific users and applications?

Our use case is that we generate many custom reports to analyze license usage and application adoption, in which we use identifiable information. However, we would like to keep data anonymized by default and preserve user privacy as much as possible.
Therefore, we would like to have one single application that gets all identifiable information via Graph API, but everywhere else the information should always appear pseudonymized.

Thank you in advance,
Leonardo Benitez

Iron Contributor

I do not see where @LeonardoBenitez question was answered. We would also like to reinstate this setting (as instructed in your article) but would like to restrict its viewing to M365 admin roles and SPO site owners. Is there a way to do that?

 

Thanks, in advance, for your follow-up

 

Microsoft

Hi @Lisa Stebbins @LeonardoBenitez , it is not possible to allow this for specific users and applications - the setting is on or off.  We have made it easier to change the setting to be on or off via an API, which is an auditable event. More information can be found here: https://techcommunity.microsoft.com/t5/microsoft-365-blog/privacy-changes-and-api-support-for-micros...  

Copper Contributor

Hi @James_Bell 

By disabling this privacy setting, I gather that any analytics tool can access the user information with the right access permissions?

Microsoft

Hi @MaynardBester , yes - if a Global Administrator reverts the setting, then identifiable user information will be shown to authorized users if their organization’s privacy practices allow. 

Copper Contributor

@James_Bell can you clarify what the GUID is that anonymises the UPN? It is not the same UPN GUID that can be seen on a user's AD profile. 

Microsoft

Hi @Marko219, we use MD5 hashing to anonymize the UPN. 

Co-Authors
Version history
Last update:
‎Sep 14 2021 09:31 AM
Updated by: