Customizing item insights privacy in Microsoft Graph (preview)

Item insights are relationships that Microsoft calculates using advanced machine learning techniques. When users collaborate over documents, SharePoint sites and lists, Teams chats and channels, Microsoft aggregates these activities as signals. From the signals Microsoft derives insights to make user-centric content recommendations for users in an organization.

Item insights can help users quickly find files that matter to them, such as in the Recommended experience in Office.com and Delve. Users can discover in the Discover area in Outlook Mobile potentially useful content to which they have access but may not have seen before. From personalized insights such as Recent files in a persona card in Bing and Recent in Microsoft 365 apps, users can easily discover their recent files.

These item insights reflect only content to which users have access. No user gets recommendations to content that they can't access.

Note This article does not address other insight-based experiences in Microsoft 365, such as Viva Insights, the Insights add-in for Outlook, WorkWith feature, MyAnalytics, and Insights dashboard.

Item insights privacy

Item insights privacy settings provide the ability to configure the visibility of insights derived from Microsoft Graph, between users and other items (such as documents or sites) in Microsoft 365. You can disable the Delve app via the pre-existing controls, but allow other insights-based experiences to continue to provide assistance.

This article describes customizing item insights privacy in an organization. To customize item insights for a user, see the userInsightsSettings resource. These user-centric settings are exposed through a navigation property named itemInsights in the userSettings resource.

Background

At the time of first release in 2014, Office Graph was a backend service for Delve. They shared a set of privacy controls over both the Office Graph insights and the Delve user experience. Office Graph has since evolved and become more independent and powerful, as part of every Microsoft 365 experience and of Microsoft Graph. To offer a coherent Microsoft Graph schema, Microsoft introduced an itemInsights entity which inherits all the properties of the pre-existing officeGraphInsights resource, and has kept officeGraphInsights around for backward compatibility. The introduction of itemInsights also de-couples the privacy story for the two independent pieces.

While existing apps could continue to use officeGraphInsights, these apps should upgrade to itemInsights to gain the flexibility to fine-tune item insights in Office Graph and Delve.

How to customize item insights?

Item insights settings provide flexibility for administrators to use Azure AD tools. Administrators can disable item insights for an entire organization, or for only members of a specified Azure AD group. They can configure item insights in the Microsoft 365 admin center, or by using the PowerShell SDK or Microsoft Graph REST API with due permissions. Keep in mind that the global administrator role is required.

The next section describes using the admin center, and is followed by the section about PowerShell cmdlets. If you're using the REST API, skip the next two sections and continue with Configure item insights using REST API. Then refer to the read or update REST operations for more information.

How to configure item insights settings via Microsoft admin center?

An administrator with the global administrator role can tune item insights privacy settings via toggles. To do so, in the Microsoft 365 admin center, expand Settings, select Search & intelligence, and under Item insights, choose Change settings. image

How to configure item insights settings via PowerShell?

Confirm the following additional prerequisites. Then you can use the Microsoft Graph PowerShell SDK to set item insights for an entire organization or for specific groups.

Additional prerequisites

Command examples

Note

Because item insights commands are only available in beta, switch to the beta profile before calling it.

   Select-MgProfile beta

To get item insights configuration for an organization, use the Microsoft Graph PowerShell module and the following command, where you replace $TenantId with your Azure Active Directory tenant ID. You can retrieve this ID from the overview page of your Azure Active Directory.

   Get-MgOrganizationSettingItemInsight -OrganizationId $TenantId

By default, item insights are enabled for the entire organization. You can use the Microsoft Graph PowerShell module to change that and disable item insights for everyone in the organization.

Note

The update method requires additional User.ReadWrite.All permissions. To create a Microsoft Graph session with a specific required scope, use the following command and consent to requested permissions.

   Connect-MgGraph -Scopes "User.Read.All","User.ReadWrite.All"

Use the following command, where you replace $TenantId with your Azure Active Directory Tenant ID and specify -IsEnabledInOrganization as false.

   Update-MgOrganizationSettingItemInsight -OrganizationId $TenantId -IsEnabledInOrganization:$false

Alternatively, you can change the default and disable item insights for a specific Azure AD group. Use the following command, where you replace $TenantId with your Azure Active Directory Tenant ID, and $GroupID with the Azure Active Directory group ID.

   Update-MgOrganizationSettingItemInsight -OrganizationId $TenantId -DisabledForGroup $GroupId

Configure item insights using REST API

As stated earlier, by default, item insights privacy settings are enabled for the entire organization. These settings are exposed through a navigation property named itemInsights in organizationSettings. You can change the default in one of two ways:

  • Disable item insights for all users in the organization, by setting the isEnabledInOrganization property of the itemInsightsSettings resource to false.
  • Disable item insights for a subset of users, by assigning these users in an Azure AD group, and setting the disabledForGroup property to the ID of that group. Find out more about creating a group and adding users as members.

Use the update operation to set the isEnabledInOrganization and disabledForGroup properties accordingly.

How item insights are enabled isEnabledInOrganization disabledForGroup
Entire organization (default) true empty
Disabled for a subset of users in the organization true ID of the Azure AD group which contains the subset of users
Disabled for the entire organization false ignored

Keep the following in mind when updating item insights settings:

  • Item insights settings are available only in the beta endpoint.
  • Get the ID of an Azure AD group from the Azure portal, and make sure the group exists, because the update operation does not check the existence of the group. Specifying a non-existent group in disabledForGroup does not disable insights for any users in the organization.
  • Updating settings can take up to 24 hours to be applied across all Microsoft 365 experiences.
  • Regardless of item insights settings, Delve continues to respect Delve tenant and user level privacy settings.

Behavior changes in UI and APIs

For a full list of experiences affected when disabling item insights, see Overview of item insights.

Transition period

To accommodate configuring item insights settings, through the end of 2020, Microsoft 365 respects both Delve settings and item insights settings, and enforces the stricter of the two if they differ. This means that a user is considered as opted out of item insights if the user has opted out by either Delve controls or item insights settings.

After this transition period, Delve settings control only Delve experience, and item insights settings affect only Microsoft Graph item insights. Make sure to configure item insights according to your organization's requirements.

Note

During the transition period, due to technical reasons, the SharePoint start page may provide stale suggestions if an organization disables item insights for all users. This issue will be addressed in upcoming server-side changes.

See also

Learn more about Delve and using Delve feature settings to control documents showing up in the Discover feed: