User data now anonymised by default in Admin Center reports & Graph Reporting API output – may impact your application
On August 30th, a blog post on the Microsoft Tech Community website announced that, by default, identifiable user data would now be removed from reports in Admin Centers and in Microsoft Graph report API calls. Instead, unidentifiable values would be used in place of the names of users, groups and sites.
This change came into effect for both v1.0 and beta 2 days later, on September 1st, and impacts:
- Microsoft 365 Reports in the Microsoft 365 admin center
- Microsoft 365 usage reports in Microsoft Graph
- Microsoft Teams analytics and reporting in the Microsoft Teams admin center
- The reportRoot: getSharePointSiteUsageDetail API (1.0 and beta) for SharePoint site detail
A lot of the data in the Reporting APIs (the ones that start /reports/) which pertains to users is being anonymised by default. This means that fields like the User Principal Name no longer contain the user name. (technically, pseudonymized; read on…)
Here’s an example of the getTeamsUserActivityUserDetail response today. I’ve only included one user and not all of the columns, but notice how the “User Principal Name” value has been replaced:
For reference, this is what it looked like before – same user but with the user principal name intact:
From a very quick look at my tenant, it doesn’t look like the GUID is the user’s Object ID, which will make it hard to tie it back to an individual user. In their blog post, Microsoft uses the word “pseudonymize” rather than “anonymize”, which does technically leave the door open to the value being able to be decrypted back into its original text. Maybe Microsoft will provide developers with a mechanism to do that, where it’s needed?
In the Teams Admin Center, the Teams User Activity Report will no longer show the user’s Display Name:
What’s the impact?
This is likely to impact any ISVs who use the report data from the API to track usage of Microsoft 365 across the tenant in more detail than is available with the standard reporting tools. Often the UPN is used not to identify a specific user but as a way to aggregate the country, area, department or office and provide specific guidance to larger organisations about where to target adoption, for instance.
In the short term, due to how quickly this has taken place there may well be errors and problems with ISV solutions unless tenant admins can agree to disable this change, even temporarily, whilst fixes are made.
Longer-term, tenant admins are going to have to decide whether the increased privacy for their users is valuable enough to justify the reduced visibility of usage that will result.
Why is this happening?
According to the blog post on Microsoft Tech Community which announced this, it’s happening as part of Microsoft’s commitment “to both data-driven insights and user privacy.”
By making data anonymised by default, the idea is that the tenant owner and others will still be able to track usage patterns but without going as far down in detail as the user. However, not knowing the user also means you don’t know the city, country or department which will limit the amount of analysis that’s possible. It’s a delicate balance for sure, but one where Microsoft is landing on the side of privacy-first.
I don’t want this. How do I turn it off?
If you’re a global administrator then it’s possible to disable this new anonymisation and go back to how things were. In the Microsoft 365 admin center, there is a new option in Settings > Org Settings > Services > Reports.
Confusingly, for me, the accompanying text here says that the default is to show identifiable information, however, the checkbox to display de-identified names has been checked. Your mileage may vary:
This is a single, powerful, lever that acts tenant wide and affects not just the API but also reports in the Microsoft 365 Admin Center and the Teams Admin Center.
It’s worth noting that, for me, changing this setting took effect immediately when making API calls and in the Teams Admin Center – I don’t have to wait 24 hours as is the case with some Admin Center changes.
In the future, it would be nice to be able to specify different anonymisation options for not only the API, but specific application IDs, or even groups of users. Many tenants cross country boundaries and are subject to different rules. Right now, if a tenant admin has to choose the option that is correct for the most restrictive region there is no way to prevent this from applying to all users, even those in less restrictive regions where analysis of the data by admins might be useful.