My Analytics, Workplace Analytics & Delve - or from the backend perspective Office Graph & Microsoft Graph

The analytics features in Microsoft 365 remain a sensitive topic for works councils and data privacy officers. This article describes the options currently available to customize these apps.

Overview and history of Office Graph & Microsoft Graph

At the time of its initial release in 2014, Office Graph was the backend for Delve, among other things. The Office Graph has since evolved and the Microsoft Graph was joined. To provide a coherent Microsoft Graph schema, Microsoft introduced an itemInsights entity that inherits all the properties of the existing officeGraphInsights resource. Currently, for backward compatibility reasons, the officeGraphInsights entity is still available. Generally, the "insights" generated by the Microsoft Graph can be disabled for the entire tenant or per Azure AD group in the Admin Center:

More details about this and the options with PowerShell / API are described in this Microsoft article: Customizing item insights privacy in Microsoft Graph. Currently, August 2021, the options described in the article are still in "Preview" status.

The apps My Analytics, Workplace Analytics & Delve

All three apps aggregate and analyze users' actions in Microsoft 365 to give individual users a system-wide view of what's happening in Microsoft 365.

Delve: The Delve app mines all documents that a user is actively working on and attempts to analyze correlations between their own work and that of other users. The goal is to show users correlations and common work areas with other users. The following always is true:

• Security by Design. Everyone only sees what they have access to.
• Private signals can only be seen by the person himself, e.g. which content might be interesting for him. This cannot be impersonated in the sense of: please show me what is interesting for John Doe.
• Public Signals only show what can also be found in other ways, e.g. via search.

Delve can be customized by each user: The "Show Documents in Delve" setting is available at the following link: https://delve.office.com/ 

If a user deactivates this function, however, his signals are still collected by the Office Graph / Microsoft Graph and are available to other users who also have access to the affected documents. Only the user himself will not see any reports about the documents he is working on or has access to after deactivation.

The Office Graph / Microsoft Graph also creates the overview and reports for the user under office.com and in apps like Outlook or Microsoft Teams. The following functions / customizations are available here:

• Meeting Insights: When a user calls up an appointment in their calendar, Outlook displays other content relevant to that appointment. This can include mails and files in the mailbox, files from OneDrive or SharePoint for which the user has at least read permission. Meeting Insights can currently only be switched on or off for the entire tenant.
• Item Insights: This feature creates recommendations based on user interaction/common tasks in Microsoft 365. These recommendations can include documents or other types of content and are displayed in People Cards (Contacts), Delve, Office.com, and other locations. Item Insights can be turned on or off per Azure AD group.

The Office Graph can also be disabled completely, as described here: Control access to Delve. This will then affect many other features such as:

• SharePoint Home
• SharePoint Activities
• OneDrive Suggestions
• Copy / Pats Functions
• etc.

My Analytics: My Analytics creates an overview of the complete working day and provides reports on how long the user has spent on mails, meetings and other things. The My Analytics function can be controlled via the license. If a user is not assigned the license for this app, the function is not available.

My Analytics, like the Delve app, cannot be impersonated and reports are only available to the individual user to view

The My Analytics app can also be configured per user:

The following applies here:

• If the app as a whole is deactivated, the user will no longer be able to access his dashboards in My Analytics. The Insights Outlook add-ins are then also no longer available.
• Inline suggestions and weekly digests will no longer be generated.
• Email activity will no longer be included in the count for other users' email open rates.

Workplace Analytics: In Workplace Analytics, data from daily work in Microsoft 365 is used to identify patterns. Data protection is considered here by default, by only presenting data anonymized and aggregated at the group level.

The Workplace Analytics function can also be controlled via the license. If a user is not assigned the license for this app, his data will not be collected and analyzed. Workplace Analytics can currently only be licensed via an EA. For details, see: Requirements for Workplace Analytics

Workplace Analytics offers the following options for configuration:

• Sources: Administrators and analysts use these to verify that Microsoft 365 and organizational data has been uploaded correctly to Workplace Analytics.
• Upload: Administrators use this to prepare and upload organization and customer data.
• Administrator Settings: Administrators use this to configure system default settings, privacy settings, and manager settings.
• Analytics Settings: Analysts use this to customize meeting exclusion rules that help ensure data accuracy.

Details: Workplace Analytics Settings

By the way: The Viva Insights feature also uses data from the Microsoft Graph, combines it with its AI and creates the corresponding dashboard. The apps My Analytics and Viva Insights will be merged in the future:

Source: https://docs.microsoft.com/en-us/workplace-analytics/myanalytics/mya-landing-page

Guest users in Azure AD - available options and scenarios

The easiest way to give an external person access to a Microsoft 365 service is to invite him as a guest user via Azure AD. If an external person is invited directly via Teams, SharePoint, PowerBI, etc., this also automatically results in a guest user in Azure AD.

However, this is not the only option. Technically, there are different ways to do it:

1. A user is invited as a guest. The authenticating instance is either another Azure AD, or an IDP supported by Azure AD. Well known examples are Google and Facebook. More details are described here: Identity Providers for External Identities
2. The second option is that the user is created in the local AD or in the Azure AD. This is the case if customers or partners already have accounts in the local AD that should now also be used to access cloud resources, or if a company wants to manage guest users completely itself. The IDP is then also the own AD / Azure AD for the guest user.
3. A guest user who logs in via one-time passcode. Details are described in this article: Onetime Passcode Authentication to access Microsoft 365 Group resources

In Azure AD's, a guest user from the first or the third scenario technically looks like this: John.Smith_gmail.com#EXT#@tenantname.onmicrosoft.com. However, the user logs in normally as John.Smith@gmail.com.

A user created via the second scenario, however, also technically has a UPN that follows the "normal" layout: Jane.Doe@tenantname.onmicrosoft.com.

What makes a user a guest user?

Which instance does the authentication says nothing about whether a user is technically a guest user or a member. The value "UserType" which can be set via PowerShell determines whether an account is defined as a guest or as a member.

Example:

Connect-MsolService

Set-MsolUser -UserPrincipalName "John.Smith@gmail.com" -UserType Member

This makes the user John.Smith@gmail.com, who was invited as a guest, a full member in Azure AD. This user can now also be added to a Microsoft Team as a member or owner.

The other way a user from the on-premises AD or Azure AD can be configured as a guest user.

Example:

Connect-MsolService

Set-MsolUser -UserPrincipalName "Jane.Doe@tenantname.onmicrosoft.com" -UserType Guest

When a user is changed from a guest to a member, he must also be licensed. If a user is newly created or synchronized via AAD Connect, it is always a member of Azure AD. Via "-UserType Guest" he can be turned into a guest account and does not need to be licensed anymore.

Microsoft article about this:

• Grant locally-managed partner accounts access to cloud resources using Azure AD B2B collaboration
• GitHub - external-identities/invite-internal-users.md

Examples

Example 1 - Account in Azure AD is reconfigured from member to guest user:

Example 2 - Account in Azure AD is reconfigured from guest user to member:

Use app enforced restrictions vs. Use Conditional Access App Control

Blocking downloads or at least blocking them on unmanaged devices is a common requirement in the context of Microsoft Teams and SharePoint. Different features can be used to implement such requirements.

App Enforced Restrictions

Generally, these settings can be configured in the SharePoint Admin Center:

If this setting is used, the system automatically creates two conditional access policies in Azure AD:

These policies can be customized and thus also used as a starting point for a more detailed conditional access policy that, for example, only applies to selected users or groups.

The first screenshot above also shows the following message: We will automatically change the "Apps that don't use modern authentication" setting to block access (because these apps can't enforce this device-based restriction). The background is that apps that do not use modern authentication cannot enforce any device-based setting. If such apps remain allowed, the created conditional access policies can be bypassed.

Another information in the screenshot above makes clear that not all detailed settings are available via the UI in the SharePoint Admin Center: "If you don't want to limit or block access organization-wide, you can do so for specific sites". The link behind "Learn how" is to the documentation of the options via PowerShell.

Example: Set-SPOSite -Identity https://<SharePoint online URL>/sites/<name of site or OneDrive account> -ConditionalAccessPolicy AllowLimitedAccess

Options with Sensitivity Label

The solution via Sensitivity Label means that the settings in the SharePoint Admin Center are no longer used. The label offers the same options as for example "Allow limited, web-only access":

This setting has the following effect both in the SharePoint Admin Center and in the label configuration:

Users on unmanaged devices can only access the designated website through the browser, without being able to download, print, or sync files. They also cannot access content through apps, including Office desktop apps.

In this scenario, the corresponding label is assigned to one or more SharePoint sites. The label then enforces the configured setting. If the label and the settings in the SharePoint Admin Center conflict, the label wins.

With both options, it is thus possible to prevent downloading content from pages explicitly configured using PowerShell or labeled with a sensitivity label that enforces web-only access. It may take 5-10 minutes for the policy to take effect. It will not take effect for users who are already signed in from unmanaged devices.

Limitations of the solution with App Enforced Restrictions

The following restrictions apply when using App Enforced Restrictions:

• If you limit access on unmanaged devices, users on managed devices must use one of the supported OS and browser combinations, or they will also have limited access.
• If you limit access and edit a site from an unmanaged device, image web parts won't display images that you upload to the site assets library or directly to the web part.
• If you're using classic SharePoint site templates, site images may not render correctly. This is because the policy prevents the original image files from being downloaded to the browser.
• When Access Control for Unmanaged Devices in SharePoint is set to Allow limited, web-only access, SharePoint files cannot be downloaded but they can be previewed. The previews of Office files work in SharePoint but the previews do not work in Microsoft Yammer.

Use Conditional Access App Control

To create rules more granular / with advanced options, "Block Download" can also be enforced with Cloud App Security. This is done by using the "Conditional Access App Control" options in Conditional Access in Azure AD:

Cloud App Security then acts as a broker that is in front of the access to Office 365:

This also allows scenarios such as assigning a sensitivity label as soon as a document is downloaded.

Further options:

• Add file filters to the policy: Extension, File Name, File Size, Sensitivity Label
• Inspection Method: Can be used to configure include or exclude conditions 
• Actions: Block, Protect (Apply sensitivity label to downloads & monitor all activities), require step-up authentication like MFA etc.,
• Configure Alerts

Further details and how to implement the solution are described in this blogpost: Secure your environment by Conditional Access & App Controls

What is the difference between "Use app enforced restrictions" and "Use Conditional Access App Control"?

If the focus is only to prevent downloading on a unmanaged device, this can be achieved with both methods. The method via Microsoft Cloud App Security offers more detailed options, is not limited to SharePoint and Exchange, and does not have the limitations of App Enforced Restrictions. (see Limitations of the solution with App Enforced Restrictions) Another significant difference is the license required in each case. App Enforced Restrictions in combination with Azure AD Conditional Access required only an Azure AD P1 license. The Conditional Access App Control solution requires a Cloud App Security license for all affected users.

Sensitivity Labels & Default sharing link type

You can configure the default sharing link type for SharePoint and One Drive for Business in the SharePoint Admin Center:

With PowerShell you now can associate a default sharing link type to a sensitivity label.
Example:
If you have a label called "TOP SECRET". You could already configure this label to stop external sharing on sites associated with this label:

Now you can fine tune even this and specify the default sharing link type usingt PowerShell:

• Set-Label -Identity 'TOP SECRET' -AdvancedSettings @{DefaultSharingScope ="SpecificPeople"}

• Set-Label -Identity 'TOP SECRET' -AdvancedSettings @{DefaultShareLinkPermission ="Edit"}

This feature is now (06/08/2021) in public preview.

Customize Built-In Classifiers

As part of data classification in Microsoft 365 compliance center you can now customize built-in classifiers (sensitive information types) to meet organization's needs.

This update includes:

• Ability to edit custom dictionaries

• New validation functions like for example…:
• Custom checksum validator
• Date validator
• Luhn check (The Luhn algorithm will detect any single-digit error, as well as almost all transpositions of adjacent digits.)
• Etc.
• Ability to define Proximity at pattern and element level

Rollout will begin mid-June and is expected to be complete by mid-July 2021.

For all of you who wants to start with custom sensitive information types; this feature is already here: https://docs.microsoft.com/en-us/microsoft-365/compliance/create-a-custom-sensitive-information-type

Zero Trust (TIC3.0) Workbook & Microsoft Teams

Microsoft provided a powerful new Azure Sentinel Workbook: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-zero-trust-tic3-0-workbook/ba-p/2315195

The Zero Trust (TIC3.0) Workbook has two general aspects. On the one hand, it provides a topic-based overview of Microsoft Security & Compliance features:

This "overview" can be filtered and segmented by topics:

The other aspect is that this is not just static content. Wherever possible, the data from the tenant is displayed for the selected topic:

As shown in the screenshot, it is always possible to jump from the Zero Trust (TIC3.0) Workbook to the underlying KQL Querrey in order to evaluate further details.

Whether data can be viewed from the tenant depends on which services are included in Azure Sentinel. Example:

Microsoft Teams & Zero Trust (TIC3.0) Workbook

With the "Unified Communications & Collaboration" filter, the focus of the Workbook is among other things on the Microsoft Teams service. Here, recommendations and details of a Zero Trust strategy are now also displayed as well as data on the tenant:

The Zero Trust (TIC3.0) Workbook can therefore be used to develop an IT security and compliance strategy on the one hand, and on the other hand provides direct data for each topic that is selected.
The focus is not only on the SaaS solutions around Office 365; with the connectors that can be integrated into Azure Sentinel, a comprehensive overall picture is easily possible.

Showing Azure AD Sign-in locations in a world map

 "We need an overview showing from where people are logging on to our Microsoft Cloud environment."  This requirement came up as part of a project.And the first approach was to use the features that are directly available in Microsoft Cloud solutions:

Azure AD Sign-In Logs:

Here, however, came the request to display this info on a world map to visually see where the login-ins came from. Cloud App Security offers this feature as a standard feature on the dashboard (https://portal.cloudappsecurity.com/#/dashboard).

Cloud App Security:

However, the Cloud App Security feature is not available in all license bundles, and the dashboard can only be filtered by the apps used.

Solution

The Azure AD sign-in logs are also available as a workbook template in Azure Sentinel. And this workbook template can be customized / extended:

To add a world map to the standard workbook with the regions from which the accesses occurred, the following steps are necessary:

• Azure Sentinel -> Workbooks -> Azure AD Sign-in logs -> View saved Workbook. (See screenshot above)
• In the upper left pane, "Select Edit" and then on the "Sign-ins by Location" report, select the "Edit" option for that report:

• In the edit mode the button "Add -> Add Query" is available. In the new query that is created, copy the text from the query "Sign-ins by Location" and select "Map" as visualization:

• The values for "Location Info using" and "Country/Region field" in the Map Settings must be configured at least:

• Result:

The workbook and therefore the map can now be filtered by the following values:

• TimeRange
• Apps
• Users
• Category (Sign-in Logs / Non interactive sign-in logs)

Related topics

• Azure AD activity logs (not Azure AD sign-in logs) can be used in Azure Monitor to use the data in Splunk or QRadar:
• https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor
• https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics
• When access to Azure resources is important, the Azure Network Watcher can be used. Based on Azure Network Security Group, it is not only possible to see which accesses are taking place. Rules can also be created to control accesses or accesses can be blocked. Details:
• https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/azure-network-security-hygiene-with-traffic-analytics/ba-p/2282377
• https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

The Traffic Analytics feature focuses on the following scenarios: https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics

• Visualize network activity across your Azure subscriptions and identify hot spots.
• Identify security threats to, and secure your network, with information such as open-ports, applications attempting internet access, and virtual machines (VM) connecting to rogue networks.
• Understand traffic flow patterns across Azure regions and the internet to optimize your network deployment for performance and capacity.
• Pinpoint network misconfigurations leading to failed connections in your network. 

Viva Connections, SharePoint HOME, global Navigation and Microsoft Teams

Microsoft Viva Connections is one of the four Viva modules. Announced as the "home site app," Viva Connections for Teams combines SharePoint intranet capabilities with the chat and collaboration features of Microsoft Teams. With Viva Connections, users will see relevant content, sites and news from across the organization right in the Teams app bar.
Viva Connections uses the global navigation links along with personalized content provided by Microsoft Graph. The global navigation is configured in the SharePoint HOME site. Therefore, the recommended first step is to set up a SharePoint HOME site in the tenant. Technically also any other SharePoint modern site can be used in the Tenant.

Setting up the SharePoint HOME site

The HOME site in SharePoint Online must be set up via PowerShell. As of today, there can only be one HOME site in the tenant.

Setting up a HOME site with PowerShell:

• Connect to SPO: Connect-SPOService -Url https://contoso-admin.sharepoint.com
• Setup Home Site: Set-SPOHomeSite -HomeSiteUrl <siteUrl>

Details are described in the following Microsoft articles:

• Get started with SharePoint Online Management Shell
• Set a site as your home site

Configuring Global Navigation

Since the Viva Connections app in Teams integrates the SharePoint intranet with the Teams app, it makes sense to enable global navigation for the HOME site. However, this is not a must. The Viva Connections App in Teams also works with the classic navigation.

Details:

• As long as global navigation is disabled, the Home icon is associated with the SharePoint home site.

• Customizing global navigation requires a home site.

• To enable global navigation, site owner permissions (or higher) are required for the home site.

• Users need read access (or higher) to the home site to view the global navigation links.

• Audience targeting can be applied to navigation links in the global navigation.

• After global navigation is enabled, it may take up to 24 hours to display.

How to enable global navigation in SharePoint HOME site is described in this Microsoft article: Enable global navigation & configure the global Navigation.

Viva Connections

The user used to create the Viva Connections desktop package requires site owner privileges for the home site in SharePoint. The PowerShell script to create the app package can be downloaded here: Viva Connections for desktop PowerShell script.

During the setup in PowerShell, the following parameters need to be set:

• URL of your tenant's home site: Enter the URL of the tenant's home site that begins with "https://". This page becomes the default landing page for Viva Connections.

• Name: The name of your Viva Connections desktop package, as it should appear in Teams App bar.

• App short description (80 characters): A short description for your app that will appear in Teams App Catalog.

• App long description (4000 characters): A long description for your app that will appear in Teams App Catalog.

• Privacy policy: The privacy policy for custom Teams apps in your organization (must start with https://). If you don't have a separate privacy policy, press Enter and the script will use Microsoft's default SharePoint privacy policy.

• Terms of use: the terms of use for custom Teams apps in your organization (must start with https://). If you don't have separate terms of use, press Enter and the script uses the default SharePoint terms of use from Microsoft.

• Company name: Your organization name, visible on the app page in Teams App Catalog in the "Created by" section.

• Company website: Your organization's public website (must start with https://), which will be linked to your organization's app name on the app page in Teams App Catalog in the "Created By" section.

• Icons: You must provide two PNG icons that will be used to represent your Viva Connections desktop app in Teams; a 192X192 pixel color icon for the Teams App Catalog and a 32X32 pixel monochrome icon for the Teams App Bar.

Result: Your Viva Connections desktop app has been successfully created! Please find the app manifest in location 'C:\Users\%name%\Desktop', filename 'Viva-Connections'.zip. Please upload this app in Teams Admin Center to proceed:

Upload the Viva Connections desktop package in the Teams Admin Center:

Pin the app to the navigation bar in the Teams client by default for your users:

The user will then see the app in the left bar the next time he launches Teams:

Microsoft Teams only

When you need to establish HOME Office workplaces quickly and easily, a Microsoft Teams Only setup is an option. Of course, a planned and coordinated rollout of Office 365 overall, including an adoption and training concept, is the preferred approach. Nevertheless, sometimes it simply has to go fast and then a pragmatic solution is required.

Overview

If the focus is a solution for virtual meetings and collaboration, the planning approach is primarily about not encouraging uncontrolled sprawl in the involved backend systems SharePoint, Exchange and Azure AD. The Microsoft Team service is based on these services and therefore cannot work without them. This is also reflected in the fact that by assigning a Microsoft Teams license, access to SharePoint is also technically included.

The services and licenses listed in the "Minimum technical requirements" section are required per user to use Microsoft Teams. The services in parentheses are optional depending on business requirements and deployment scenarios.

Even if Microsoft Teams should only be used in the context of Online Meeting, the owner of a Team has further options available. For example, he can create additional Channels in a Team or create additional SharePoint Lists and Libraries in the associated SharePoint Team Site. This applies to users who have a Teams license because they need to create Teams Meeting, for example. To join a Teams Meeting invited from another tenant, a user only needs an account in an Azure AD or a LiveID / Guest User.

Minimum technical requirements

Azure Active Directory Account / synchronized identities to Azure Active Directory

Exchange Online / Exchange Hybrid: Details: https://docs.microsoft.com/en-us/microsoftteams/exchange-teams-interact

The SMTP matching to match on-premises user accounts to Office 365 user accounts option can be used to merge mailboxes at a later date. This is relevant when users and mailboxes need to be created in Exchange Online in parallel with existing mailboxes in Exchange Server on-premises, for example because Exchange Hybrid cannot be implemented in a short term.

SharePoint Online & OneDrive for Business: Details: https://docs.microsoft.com/en-us/microsoftteams/sharepoint-onedrive-interact

The following is not a general recommendation. The described actions make sense if the goal is to use Microsoft Teams only as an ad hoc solution for online meetings etc. and not to use any other Office 365 service for now.

• Restriction that users cannot create additional SharePoint Site Collections.
• Further options for restrictions in SharePoint Online & OneDrive:
• Restrict content from being shared anonymously.
• Conditional Acceess Policy that only allow access to SharePoint. This prevents services such as PowerApps and Power Automate being used in SharePoint.

Access monitored via Microsoft Cloud App Security. Details and examples can be found here: Secure your environment by Conditional Access & App Controls

Licenses / Apps:

The bracketed apps in the following list are not mandatory to work with Microsoft Teams as such. However, the Teams App license as such must be assigned to a user so that the basic Teams functions are available and the client can be used:

Microsoft Teams, (SharePoint & OneDrive), (Exchange Online), (Office for the web), (Microsoft Planner), (Microsoft Stream), (Whiteboard).

If the user is not assigned a SharePoint license, OneDrive for Business is also not available to him. This has the effect that in personal chats no attachments can be attached to the chat by this user. The user will see the following message:

He can still chat with other users.

If the Exchange Online license is missing or no Exchange Hybrid is in use, the calendar is not available in Teams.

Weitere Details und Abhängigkeiten sind in diesem Artikel von Microsoft beschrieben: Prerequisites and environmental dependencies for Teams.

Example setup:

Tips

To keep track of Teams usage and keep users themselves engaged, Microsoft is already providing some Azure features:

• Azure AD Access Reviews, showing which Teams are in active use: https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview    
• Azure AD Expiration Policy, which requires Teams Owners / Members to periodically confirm that a Team is still needed: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-lifecycle    

Scripts to generate custom reports can also be easily created using PowerShell. The CLI for Microsoft 365 can be used for this: https://pnp.github.io/cli-microsoft365.

Hello 2021 - what can we expect from you?

 

This whitepaper summarizes the trends and what we can expect in the IT industry in 2021. Of course, it will still be about new features and options. However, the challenges that companies had and have to deal with COVID-19 also brought topics such as IT security and governance back into focus.

In conclusion, the current challenges have made it clear that the question "What do I get out of a new tool or service and what would it take for me to implement it?" is really only the second question. Question number 1 was and will remain for now: "What do I need as a company to be able to work productively?"

After the ECJ declared the Privacy Shields as invalid in the summer of 2020, the topic of GDPR will continue to affect us in 2021.

Details on this and other topics in the free whitepaper Hello 2021 - what can we expect from you?

• Download in Englisch
• Download in German