Understanding security and privacy of Delve and intelligent experiences in Office 365
Within Office 365, Delve is an intelligent service aimed at helping users stay in the know – to discover new, relevant information and people based on who they work with and the content they work on. Delve proactively discovers content across Office 365 and connects users to content and people, intuitively and in a personalized fashion. Powered by the Microsoft Graph, Delve brings you information from across Office 365 – OneDrive for Business, SharePoint Online, Exchange Online, Yammer, Office 365 Video and more. Delve will only show you content that you have access to—it always respects the permissions and security policies of that content. We want to provide insight and clarity for the security and privacy that comes with, and backs, Delve in Office 365. And to be clear about what role the Microsoft Graph plays, examples of how it is used in Delve and throughout Office 365. Security and Privacy Delve is covered under the Office 365 Trust Center and meets all of the requirements of our highest level of compliance which Microsoft refers to as “Tier D” compliance, e.g., ISO 27001 and 27018 certification, SOC 1 and SOC 2 compliance. Delve is also licensed under the Microsoft Standard Online Services Terms which include commitments such as the EU Model Clauses. This, too, applies to the Microsoft Graph - the underlying intelligence service that uses advanced analytics to provide relevant, personalized insights via Delve and other user interface experiences throughout Office 365. You can read more within the public “Office 365 Compliance Framework for Industry Standards and Regulations" document (.pdf). Customers own their Microsoft Graph data, which is stored in their partition of Office 365. The Microsoft Graph data has the same protection and security as other customer data stored in other Office 365 services. Delve never changes any permissions on content or other information. Users only discover what they already have permission to see. Only you can see your private documents in Delve, unless you decide and act to share them. It is important content owners establish and maintain any required or desired access rights and permissions on the content/documents themselves. Documents are not stored in Delve, but rather they are only displayed within the Delve experience from where they are stored, for example OneDrive for Business or a SharePoint Online document library. People can't see each other's private activities, such as what documents they've read, what emails they've sent and received, or what Skype for Business conversations they've been in. People can see when others modify a document, but only if they have access to the same document. What you see when you open Delve is personalized to you, and no one else sees the same files, content, and activity you do. It is possible to opt out of Delve at both the tenant level and the user level. Once opted out, users will not see the Delve tile in the Office 365 app launcher. Opted out users’ document activity (documents they are accessing) is no longer used to help others discover their content. Additionally, various services that surface content and recommendations from the Microsoft Graph to provide intelligence throughout Office 365 will simply not appear. They, too, may revert to previous non-Graph-based methods -- for example, search-based vs graph-based. One example, if you opt out, you would not see the new "Discover" tab within OneDrive for Business - yet the core of OneDrive for Business remains intact. To learn more, please review these two important Delve security and privacy support articles; the first for admins and second for users: "Office Delve for Office 365 admins", "Are my documents safe in Office Delve?". Additionally, it is important to understand permissions levels in SharePoint and other content repositories; examine existing permissions if you perceive any unintended exposure. The Microsoft Graph – supporting the business user and the developer The content, activity, people, and recommendations that surface in Delve and other intelligent experiences are powered by Microsoft Graph. The Microsoft Graph represents a collection of content and people, and the activity that happens across the entire Office suite. From email, social conversations, and meetings, to documents in SharePoint and OneDrive, the Microsoft Graph maps the relationships among people and information, and acts as the foundation for intelligent experiences, providing more relevant and personalized experience to each user. The Microsoft Graph uses sophisticated machine learning techniques to connect people to the relevant content, conversations and people around them. A visual representation of the various content sources and signal Delve and the Microsoft Graph leverage to help make discovery or relevant content and people possible. Review which types of content you can expect to see in Delve. And learn more about the Microsoft Graph. Intelligence beyond Delve, throughout Office 365 and beyond The value of infusing intelligence within Delve, and throughout Office 365 applications, means you have access to intelligent information and insights right where you are working without leaving the app or experience where you are working. You’ll see intelligence in OneDrive for Business in the form of the Discover tab where you’ll find others’ files related to what you are working on. The home page of a SharePoint team site surfaces activities in the site, the SharePoint mobile app and the SharePoint home in Office 365 suggest sites of possible interest and recent activity, plus Outlook’s Focused Inbox, where the Graph helps identify and eliminate clutter in your email stream. Screenshots on web and mobile where the value of intelligence from the Microsoft Graph surfaces throughout the various Office 365 workloads. The effect of opting-out of Delve will reduce the intelligence and discovery experiences in Office 365. It is our recommendation to not opt out. It is also possible to program your own custom solutions for any device with the intelligence from the Microsoft Graph. Developers leverage a single end point that provides access to a common set of simple, modern APIs. Using the Microsoft Graph API, developers can consume Office 365 data in their apps to create custom, personalized experiences for their users. You can learn more about developing with the Microsoft Graph at https://graph.microsoft.io. And the same data access security and privacy model, as articulated above, remains with custom applications that use the Microsoft Graph API. Custom applications querying the Microsoft Graph do so under the security context of the user and will only return content to which the user has been given permissions. Delve and intelligence customer evidence As you move from learning about Delve and the Microsoft Graph, into how you and your company can best introduce the value and capabilities to your users, it’s helpful to review how other companies chose to move forward, helping them to overcome a variety of challenges facing them. Below are two recent examples of companies that committed to putting Delve and the Microsoft Graph to use in production, into their evolving digital workplaces. Marks & Spencer | M&S is a global, multichannel retailer with more than 1,330 stores selling innovative food and quality clothing to people living in many different cultures. They wanted to find a way to unite the company. To promote unity, they sought the right technology tools to support a new business culture— one that is modern, agile, connected and collaborative—that’s defined by a digital mindset across a single global company. Alongside their company portal, serving 80,000 employees, Delve provides intelligent people discovery. “We plugged Delve into our company directory, so employees can look for individuals and see their managers and who they work with. We view Delve as a quick and easy way to find current data to keep us moving at a fast pace in this fast-paced business.” says Carl Dawson, IT Director. Please review the full Marks & Spencer case study + video. Weleda | Based in Arlesheim, Switzerland, Weleda has offices and partnerships in more than 50 countries. They needed to connect employees to the relevant content, conversations, and people around them. By “embedding Delve-like functionality into our intranet, it helps employees stay better connected to the colleagues, information, and projects that mean the most to them,” says Vladimir Filev, Enterprise Architect. Weleda employees are using Microsoft Office 365 to work closely with colleagues worldwide, transforming an email-driven workplace into an inclusive, connected culture that promotes individual achievement to improve global productivity and drive innovation. “Because Delve has such a great search engine,” Filev continues, “I’m able to keep track of contacts and files across multiple projects I’m involved with. In terms of personal time management, I find Delve very helpful.” Please review the full Weleda case study. Intelligence rests on trust Microsoft is committed to security, privacy and compliance. Your data is your data – and it is you who has control of who can see it and who can access it. Through transparent service operations, we seek to gain and earn your trust every day. We are accountable to you. Thanks for keeping us accountable, Mark Additional related resources SUPPORT ARTICLES “Share files or folders in Office 365”: https://support.office.com/en-US/article/Share-files-or-folders-in-Office-365-1fe37332-0f9a-4719-970e-d2578da4941c "Are my documents safe in Office Delve?": https://support.office.com/en-us/article/Are-my-documents-safe-in-Office-Delve-f5f409a2-37ed-4452-8f61-681e5e1836f3?ui=en-US&rs=en-US&ad=US "Office Delve for Office 365 admins": https://support.office.com/en-us/article/Office-Delve-for-Office-365-admins-54f87a42-15a4-44b4-9df0-d36287d9531b “ Understanding permission levels in SharePoint”: https://support.office.com/en-US/article/Understanding-permission-levels-in-SharePoint-87ecbb0e-6550-491a-8826-c075e4859848 BLOGS "Connect to expertise and content with new people experiences throughout Office 365" [9/26/16]: https://blogs.office.com/2016/09/26/connect-to-expertise-and-content-with-new-people-experiences-throughout-office-365/ (this is also the one MS Tech Summits stream on-demand) "Enriching the mobile and intelligent intranet with team news, apps for Android and Windows, and more" [9/26/16]: https://blogs.office.com/2016/09/26/enriching-the-mobile-and-intelligent-intranet-with-team-news-apps-for-android-and-windows-and-more/ "SharePoint - the mobile and intelligent intranet" [5/4/16]: https://blogs.office.com/2016/05/04/sharepoint-the-mobile-and-intelligent-intranet/ “ Today at Connect()—introducing the Microsoft Graph” [11/18/15]: https://blogs.office.com/2015/11/18/today-at-connect-introducing-the-microsoft-graph/ “ Office - Microsoft Graph: Gateway to Data and Intelligence” [Connect 2016]: https://msdn.microsoft.com/en-us/magazine/mt790189.aspx VIDEOS "Discover what's new and what's coming for Office Delve" on-demand BRK2044 session recording: https://myignite.microsoft.com/videos/1359 "Discover what's new and what's coming to the SharePoint Mobile and Intelligent Intranet" on-demand BRK2029 session recording: https://myignite.microsoft.com/videos/1302 "Explore new personalized, intelligence powered search experiences in SharePoint, Delve and Office 365": https://myignite.microsoft.com/videos/1363 "The Mobile and Intelligent Intranet: SharePoint sites and PowerApps": https://youtu.be/x8tgKBXmmPg "Updates to the SharePoint app, team sites and publishing experience": https://youtu.be/W4J6hZtove0What is the Office Graph?
Office Graph - the intelligent fabric to Office 365 data The Office Graph represents a collection of content and activity, and the relationships between them that happen across the entire Office suite. From email, social conversations, and meetings, to documents in SharePoint and OneDrive, the Office Graph maps the relationships among people and information, and acts as the foundation for Office experiences that are more relevant and personalized to each individual. The Office Graph uses sophisticated machine learning techniques to connect people to the relevant content, conversations and people around them. Office Graph has mapped over billions actions and interactions within Office 365, making it clear that organizations have been sitting on an untapped gold mine of business value. As it continues to analyze relationships and deliver insights from across the tools people use at work every day, it will enable experiences that go above and beyond search and discovery. Going forward, the Office Graph will continue to evolve and deliver increasingly rich insights in Office 365, and incorporate support for extensibility to reach beyond Office 365.
Get-MgProfile : The term 'Get-MgProfile' is not recognized as the name of a cmdlet, function, script
Hi everyone, The cmdlet Get-MgProfile is no longer available after updating to v2.1.0 Even the link is no longer available: https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.people/get-mguserprofile What is the replacement Graph SDK cmdlet to get the existing Microsoft Graph PowerShell SDK connection profile name? Thanks in advance.
SharePoint Online - Office Graph error message
Hello Everyone, a user from our company have a problem at the sharePoint start site. She get the following error Message: "this is a limited version of the page because Office Graph is disabled. More information about activating Office Graph" The User cant see all information at the start site like other users... for example recently sites are not there. Does anyone of you know, what the problem here is or knows a solution to solve this?
SharePoint Librarys: Graph API Get items
Hey, i wanna list all the items that are in a SharePoint library which is the root library of a Teamsite. In the Graph API documentation i have found the following to "List children of a driveItem". Which seems to be what i need. I'm using the Graph Explorer v1.0, i get an empty value. GET /drives/{drive-id}/items/{item-id}/children { "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives('[Redacted]')/items('[Redacted]')/children", "value": [] } When getting the metadata of a drive (Get a DriveItem resource) I get the follwoing result. GET /drives/{drive-id}/items/{item-id}/ { "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives('[Redacted]')/items/$entity", "createdDateTime": "2018-06-29T06:58:41Z", "id": "[Redacted]", "lastModifiedDateTime": "2021-02-01T11:44:01Z", "name": "root", "webUrl": "[Redacted]", "size": 14251577828, "parentReference": { "driveId": "[Redacted]", "driveType": "documentLibrary" }, "fileSystemInfo": { "createdDateTime": "2018-06-29T06:58:41Z", "lastModifiedDateTime": "2021-02-01T11:44:01Z" }, "folder": { "childCount": 17 }, "root": {} } So instead of the first result to be empty I'm expecting to get at least the 17 Children on the first level. I'd really appreciate any pointers as to what I'm doing wrong. Thanks EDIT: I created a new Teamsite in that Tenant and got the same results. /drives/[Drive-id-Redacted]/items/[item-id-redacted]/children { "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives('Redacted')/items('Redacted')/children", "value": [] } I also did the same exact steps on another Tenant. Were i got the expected results. Everything on the first level of the document library was returned (empty folders, folders with content & files). GET drives/[drive-id-Redacted]/items/[item-id-Redacted]/children { "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives('b%21AkpyLC5wkUKil3rDWQGKATkY1dsy_8VBn4bwuhbxbzG5iis7JuCiTYx7InpDx1E7')/items('0165NKSCF6Y2GOVW7725BZO354PWSELRRZ')/children", "value": [ { "createdDateTime": "2021-02-01T08:07:32Z", "eTag": "\"{Redacted},1\"", "id": "Redacted", "lastModifiedDateTime": "2021-02-01T08:07:32Z", "name": "_Test_Folder", "webUrl": "https://Redacted.sharepoint.com/sites/PowerAppsFunktionen/Freigegebene%20Dokumente/_Test_Folder", "cTag": "\"c:{Redacted},0\"", "size": 0, "createdBy": { "user": { "email": "mmuster@Redacted.com", "id": "Redacted", "displayName": "Max Muster" } }, "lastModifiedBy": { "user": { "email": "mmuster@Redacted.com", "id": "Redacted", "displayName": "Max Muster" } }, "parentReference": { "driveId": "Redacted", "driveType": "documentLibrary", "id": "Redacted", "path": "/drives/Redacted/root:" }, "fileSystemInfo": { "createdDateTime": "2021-02-01T08:07:32Z", "lastModifiedDateTime": "2021-02-01T08:07:32Z" }, "folder": { "childCount": 0 } }, { "createdDateTime": "2021-01-14T08:14:40Z", "eTag": "\"{Redacted},1\"", "id": "Redacted", "lastModifiedDateTime": "2021-01-14T08:14:40Z", "name": "Ordner", "webUrl": "https://Redacted.sharepoint.com/sites/PowerAppsFunktionen/Freigegebene%20Dokumente/Ordner", "cTag": "\"c:{Redacted},0\"", "size": 367581, "createdBy": { "user": { "email": "mmuster@Redacted.onmicrosoft.com", "id": "Redacted", "displayName": "Max Muster" } }, "lastModifiedBy": { "user": { "email": "mmuster@Redacted.onmicrosoft.com", "id": "Redacted", "displayName": "Max Muster" } }, "parentReference": { "driveId": "Redacted", "driveType": "documentLibrary", "id": "Redacted", "path": "/drives/Redacted/root:" }, "fileSystemInfo": { "createdDateTime": "2021-01-14T08:14:40Z", "lastModifiedDateTime": "2021-01-14T08:14:40Z" }, "folder": { "childCount": 22 } }, { "@microsoft.graph.downloadUrl": "https://Redacted.sharepoint.com/sites/PowerAppsFunktionen/_layouts/15/download.aspx?Redacted&ApiVersion=2.0", "createdDateTime": "2020-11-05T22:17:07Z", "eTag": "\"{Redacted},9\"", "id": "Redacted", "lastModifiedDateTime": "2020-11-06T10:33:09Z", "name": "Mappe.xlsx", "webUrl": "https://Redacted.sharepoint.com/sites/PowerAppsFunktionen/_layouts/15/Doc.aspx?sourcedoc=%7BRedacted%7D&file=Mappe.xlsx&action=default&mobileredirect=true", "cTag": "\"c:{Redacted},15\"", "size": 23064, "createdBy": { "user": { "email": "mmuster@Redacted.onmicrosoft.com", "id": "Redacted", "displayName": "Max Muster" } }, "lastModifiedBy": { "application": { "id": "Redacted", "displayName": "App Service" }, "user": { "email": "mmuster@Redacted.onmicrosoft.com", "id": "Redacted", "displayName": "Max Muster" } }, "parentReference": { "driveId": "Redacted", "driveType": "documentLibrary", "id": "Redacted", "path": "/drives/Redacted/root:" }, "file": { "mimeType": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", "hashes": { "quickXorHash": "Redacted" } }, "fileSystemInfo": { "createdDateTime": "2020-11-05T22:17:07Z", "lastModifiedDateTime": "2020-11-06T10:33:09Z" } }, [...] ] } Has anyone had a similar experience? In the first Library i thought it might have to do with the number of items in the Library (about 25.000). But the others are all under 50 items.
Application.ReadWrite.OwnedBy: List all applications owned by the calling application
Hi, I am trying to get only the applications that my app owns using Graph, and on the documentation it shows that I should be able to only list the applications where my app is owner. (This is to limit the content I have access to with my app) https://docs.microsoft.com/en-us/graph/permissions-reference Application Application.Read.All: List all applications (GET /beta/applications) Application.ReadWrite.All: Delete a service principal (DELETE /beta/servicePrincipals/{id}) Application.ReadWrite.OwnedBy: Create an application (POST /beta/applications) Application.ReadWrite.OwnedBy: List all applications owned by the calling application (GET /beta/servicePrincipals/{id}/ownedObjects) Application.ReadWrite.OwnedBy: Add another owner to an owned application (POST /applications/{id}/owners/$ref). NOTE: This may require additional permissions. However, if I create an app that has owner permissions on another app and I query against the Graph API "Applications" I am still able to list all applications in the tenant. I thought having me added as owner, on an application and having only that permission on my app, would limit my result ? Am I missing something here? Adding the app as an owner in the following way: Connect-AzureAD $objectIdOfApplicationToChange = Get-AzureADApplication -objectId "6929067b-b9ab-4bf6-bb17-81be5eb31ba1" $objectIdOfApplicationThatNeedsToBeAdded = Get-AzureADApplication -ObjectId "21780578-3035-47c1-8096-a1641ab3123d" Add-AzureAdApplicationOwner -ObjectId $objectIdOfApplicationToChange.ObjectId -RefObjectId (get-azureadserviceprincipal -all $true | where-object {$_.AppId -like $objectIdOfApplicationThatNeedsToBeAdded.AppId}).ObjectId When I query the Graph through PowerShell, I was hoping to get a 403 when querying all applications... Anyone tried to limit the result you get back using this permission ? It is not a wanted solution to give permissions to read all applications for this app, therefor we need to limit the access...
Searching private Office 365 Group files using Delve
Hi all, is there any update on when private group files will be visible in Delve? It has been "rolling out" for some time now on the http://fasttrack.microsoft.com/roadmap#R-31853, and according to https://office365.uservoice.com/forums/286611-office-365-groups/suggestions/10436289-allow-members-to-search-private-groups this capability was expected to be released by end of May. Also I noticed on the https://www.yammer.com/itpronetwork/#/Threads/show?threadId=709122014at least one user (TonyRedmond) has seen the capability. We are on first release however havent seen anything on this yet. Really keen to see it happen as I think the integration between Groups and Delve will really accelerate their usefulness and user adoption.
