Customizing item insights privacy in Microsoft Graph (preview)
Item insights privacy settings provide the ability to configure the visibility of insights derived from Microsoft Graph, between users and other items (such as documents or sites) in Microsoft 365. You can disable the Delve app via the pre-existing controls, but allow other insights-based experiences to continue to provide assistance.
At the time of first release in 2014, Office Graph was a backend service for Delve. They shared a set of privacy controls over both the Office Graph insights and the Delve user experience. Office Graph has since evolved and become more independent and powerful, as part of every Microsoft 365 experience and of Microsoft Graph. To offer a coherent Microsoft Graph schema, Microsoft introduced an itemInsights entity which inherits all the properties of the pre-existing officeGraphInsights resource, and has kept officeGraphInsights around for backward compatibility. The introduction of itemInsights also de-couples the privacy story for the two independent pieces.
While existing apps could continue to use officeGraphInsights, these apps should upgrade to itemInsights to gain the flexibility to fine-tune item insights in Office Graph and Delve.
How to customize item insights?
Item insights settings provide flexibility for administrators to use Azure AD tools. Administrators can disable item insights for an entire organization, or for only members of a specified Azure AD group. Configure item insights by using the PowerShell SDK or Microsoft Graph REST API with due permissions. Keep in mind that the global administrator role is required.
The next section describes using PowerShell cmdlets to configure insights settings. If you're using the REST API, skip the next section and continue with Configure item insights using REST API. Then refer to the read or update REST operations for more information.
How to configure item insights setting via PowerShell?
Confirm the following additional prerequisites. Then you can use the Microsoft Graph PowerShell SDK to set item insights for an entire organization or for specific groups.
- PowerShell module - Install module version 0.9.1 or higher.
- .NET Framework - Install .NET Framework 4.7.2 or a higher version.
Because item insights commands are only available in beta, switch to the beta profile before calling it.
To get item insights configuration for an organization, use the Microsoft Graph PowerShell module and the following command, where you replace
$TenantId with your Azure Active Directory tenant ID. You can retrieve this ID from the overview page of your Azure Active Directory.
Get-MgOrganizationSettingItemInsight -OrganizationId $TenantId
By default, item insights are enabled for the entire organization. You can use the Microsoft Graph PowerShell module to change that and disable item insights for everyone in the organization.
The update method requires additional
User.ReadWrite permissions. To create a Microsoft Graph session with a specific required scope, use the following command and consent to requested permissions.
Connect-MgGraph -Scopes "User.Read","User.ReadWrite"
Use the following command, where you replace
$TenantId with your Azure Active Directory Tenant ID and specify
Update-MgOrganizationSettingItemInsight -OrganizationId $TenantId -IsEnabledInOrganization:$false
Alternatively, you can change the default and disable item insights for a specific Azure AD group. Use the following command, where you replace
$TenantId with your Azure Active Directory Tenant ID, and
$GroupID with the Azure Active Directory group ID.
Update-MgOrganizationSettingItemInsight -OrganizationId $TenantId -DisabledForGroup $GroupId
Configure item insights using REST API
As stated earlier, by default, item insights privacy settings are enabled for the entire organization. You can change the default in one of two ways:
- Disable item insights for all users in the organization, by setting the isEnabledInOrganization property of the itemInsightsSettings resource to
- Disable item insights for a subset of users, by assigning these users in an Azure AD group, and setting the disabledForGroup property to the ID of that group. Find out more about creating a group and adding users as members.
Use the update operation to set the isEnabledInOrganization and disabledForGroup properties accordingly.
|How item insights are enabled||isEnabledInOrganization||disabledForGroup|
|Entire organization (default)||
|Disabled for a subset of users in the organization||
||ID of the Azure AD group which contains the subset of users|
|Disabled for the entire organization||
Keep the following in mind when updating item insights settings:
- Item insights settings are available only in the beta endpoint.
- Get the ID of an Azure AD group from the Azure portal, and make sure the group exists, because the update operation does not check the existence of the group. Specifying a non-existent group in disabledForGroup does not disable insights for any users in the organization.
- Updating settings can take up to 8 hours to be applied across all Microsoft 365 experiences.
- Regardless of item insights settings, Delve continues to respect Delve tenant and user level privacy settings.
Behavior changes in UI and APIs
The profile card of a user who has disabled item insights does not show their used documents. The same limitation applies to the profile result of Microsoft Search in Bing, where the Recent Files panel becomes empty. Furthermore, the precision of acronym-expansion in search is reduced.
Disabling item insights will stop suggested meeting hours from being calculated and shown to the user on their profile card.
In Delve, a user who has disabled item insights has their documents hidden.
Any user who disables item insights has their activity removed from organization-wide analytics. Normally such analytics suggests assistive insights to the user's colleagues across a multitude of experiences, ranging from Outlook to OneDrive and SharePoint. The analytics is always anonymous regardless of settings, but when a user disables insights, the user's activity is excluded from improving the productivity of others.
Where the Discover section is enabled for a user searching in Outlook mobile, disabling item insights for that user would hide documents in the Discover section, that are trending around the user. Trending documents are otherwise recommended and displayed based on other activities of the user.
To accommodate configuring item insights settings, through the end of 2020, Microsoft 365 respects both Delve settings and item insights settings, and enforces the stricter of the two if they differ. This means that a user is considered as opted out of item insights if the user has opted out by either Delve controls or item insights settings.
After this transition period, Delve settings control only Delve experience, and item insights settings affect only Microsoft Graph item insights. Make sure to configure item insights according to your organization's requirements.
During the transition period, due to technical reasons, the SharePoint start page may provide stale suggestions if an organization disables item insights for all users. This issue will be addressed in upcoming server-side changes.
Learn more about Delve and using Delve feature settings to control documents showing up in the Discover feed: