Table of Contents
Item, Meeting, and People Insights Derived from User Signals
In August 2020, I wrote about how to control item insights using the Graph Explorer. Item insights are one of the three insights generated from Graph signals gathered from user activity and displayed in various places within Microsoft 365:
- Item insights: Recommendations about documents available to a user which they might be interested in. This information shows up in the profile card in the “Files” section.
- Meeting insights: When users open a meeting in their calendars, Outlook displays insights relevant to the meeting, such as documents and email covering the content of the meeting.
- People insights: Information about people deemed to be relevant to an individual and who have a “public relationship” with that individual. For example, they have the same manager (as noted in Azure AD) or share a common membership of a public group or distribution list with fewer than 30 members. People insights show up on the profile card in the “works with” section, with the people who appear ranked in order of the public and private communications (direct email or meetings rather than group-based communications) between the listed individuals and the owner of the profile card.
Item and meeting insights are configurable through the Search & Intelligence section of Settings in the Microsoft 365 admin center (Figure 1). Both can be enabled or disabled, and item insights can be disabled for a set of users defined as members of a group.
Recently, Microsoft added the ability to customize people insights, but only by running a Graph query. No doubt the necessary GUI will soon appear in the Microsoft 365 admin center.
The Need for User Privacy
In most cases, insights are useful. Looking at the list presented in the people card (Figure 2), users probably don’t realize how the Graph determines who appears in the list and what a public relationship is versus a private relationship. All they see is a set of individuals who the owner of the profile card “works with.”
However, in places where personal privacy is taken more seriously than in more liberal regimes, exposing the list of people that someone works with could be considered a breach of that person’s privacy. Although the list is based on public relationships that anyone can see by checking the membership of the relevant groups, it’s still too much for some.
Suppressing People Insights
To suppress people insights, a tenant can:
- Disable people insights completely. No one in the tenant sees this data.
- Disable people insights for a group of people. Everyone else sees the people insights.
For instance, if an organization decreed that the employees from a specific country should not see people insights, you could create a group (not a dynamic group) and add the relevant employees as members. The next step is to retrieve the identifier for the group and the tenant identifier, which is easily done by running the Get-AzureADGroup and Get-AzureADTenantDetail cmdlets:
Get-AzureADGroup -SearchString Disabled ObjectId DisplayName Description -------- ----------- ----------- c9758609-d33b-4eea-976b-d8e43a2ad135 DisabledGraphInsights Members of this group do not have graph insights Get-AzureADTenantDetail ObjectId DisplayName VerifiedDomain -------- ----------- -------------- d662313f-14fc-43a2-9a5a-d2e27f4f3476 Office 365 for IT Pros Office365itpros.com
Given that the Azure AD module is due for deprecation in March 2024, you should consider using the Microsoft Graph PowerShell SDK cmdlets:
Get-MgGroup -Filter "startsWith(displayname, 'Disabled')"
Id DisplayName Description GroupTypes
-- ----------- ----------- ----------
c9758609-d33b-4eea-976b-d8e43a2ad135 DisabledGraphInsights Members of this group do not have graph insights {Unified}
Get-MgOrganization | Select Id, DisplayName
Id DisplayName
-- -----------
d662313f-14fc-43a2-9a7a-d2e27f4f3478 Office 365 for IT Pros
With the two identifiers, we can go to the Graph Explorer and update the Insight settings control for people insights. This is done by running a Graph patch query to:
https://graph.microsoft.com/beta/organization/d662313f-14fc-43a2-9a5a-d2e27f4f3476/ settings/peopleInsights
The query includes a request body containing the identifier of the group holding the set of users to exclude from people insights:
{
"disabledForGroup": " c9758609-d33b-4eea-976b-d8e43a2ad135"
}
Figure 3 shows the Graph Explorer after running the patch query. The response (200) means that the Graph accepted the command, and the response preview shows the current configuration for people insights in the tenant. Here we can see that people insights are enabled (isEnabledInOrganization is True) and that a group of excluded users exists.
No More People Insights
After updating the organization setting, it can take up to 24 hours before its effect is noticed in profile cards. Figure 4 shows the result. The organization data is present, but the people insights are absent for any user who’s a member of the excluded group.
Controlling people insights is an easy thing to do. If you have some users who object to this information being available to others, it will take less than five minutes to create the excluded group and update the organization settings. Add a few extra minutes to populate the group, and then it’s just a matter of waiting for the update to percolate to applications.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.
Hi Tony, great blog post, thank you! We have a customer waiting for this feature. During our first tests, we were struggeling to get the needed API permissions. We tried “User.Read.All”,”User.ReadWrite.All”,”Organization.ReadWrite.All”,”People.Read.All” – but it seems not to be sufficient. Do you remember which API permissions are needed to access /settings/peopleInsights? Kind regards, Jens
Try Directory.ReadWrite.All because this is a directory setting.
Great article, thanks for sharing. Do you know if there is way to hide specific users from the organization chart? This way their managers (or subordinates) would not be visible? We would like to have such feature, applied to an AD group, for example. Or even checking any customized attribute.
I don’t believe you can hide someone except by not including their organization details in AAD (for example, not assigning them a manager or any direct reports).
Hi Tony, when you wrote turn it off at the tenant, was that via the UI on the insights page? I did this a few weeks ago to see what the out of the box behaviour was and I still see a populated ‘works with’ section. Thanks
The GUI only works for item and meeting insights. If you want to disable people insights, you’ve got to run a Graph query.
What should be mentioned in the Request body if you want to disable people insights for the entire tenant and not for a specific group?
The feature is designed for group disablement, so I think you’d have to create a group (dynamic group would be best) for everyone in the tenant and use that. I don’t know of another way.