Customers Learn About Leak in Microsoft 365 Message Center
Last year, Microsoft introduced the data privacy tag for Microsoft 365 message center notifications. The idea is that if Microsoft detects a problem that compromises any aspect of data privacy, it can highlight the issue to tenant administrators in a Microsoft 365 data privacy message. I haven’t seen any notifications since their introduction, but several tenant administrators received one recently (Figure 1).
The text of the message revealed details of a data leak in Teams usage data:
“We’ve identified and subsequently corrected an issue where the user-related data of one or more of your users may have been incorrectly displayed in a user activity report run by another customer. The issue was introduced as a result of a misconfiguration contained in an update.
The report in question is the Microsoft Teams user activity report (more information on the report can be found here). We’ve confirmed that the data fields incorrectly shown were limited to the following:
1. Username (UPN)
2. Tenant Name
3. Last activity date
4. isDeleted
5. deletedDate
6. Assigned products (license type).
Our telemetry indicates that one or more customers downloaded this report, which contained the incorrect information. No other details associated with your organization were available at any time.
We’re providing a list of the users whose information was incorrectly displayed in the report for your review. We’re providing the user GUIDs along with instructions on how to translate these into a readable UPNs.
Account Impacted:
<Guid>
End Of List
To translate these GUIDs into User Principal Names (UPN):
- If your organization uses Azure Active Directory, you may enter the GUID as the object ID in the Azure Portal.
- If your organization uses Active Directory, you may enter the GUID as the object GUID in the Management Console.
- You may also download and use the following PowerShell script to convert the GUIDs to UPN: https://aka.ms/GUIDtoUPNscript
As Microsoft takes customer privacy seriously, we wanted to make you aware of the issue.”
Teams Usage Report in the Microsoft 365 Admin Center
All data leaks are regrettable, and some can be catastrophic. In this instance, another customer getting to see the last activity date for a Teams user (identified by their UPN) is probably at the lower end of the scale. Based on the text, it seems like some problem happened in dealing with data generated using the Teams userActivityDetail Graph API, which is the basis for the activity reports available in the Microsoft 365 admin center (Figure 2).
Tenants can access the Graph data to create their own activity reports as needed (here’s an example). I don’t believe that the underlying Graph data is affected. It’s more likely that the misconfiguration issue referred to by Microsoft is something to do with a mistake made in the way that report data is extracted and used by the admin center.
Not a Systemic Problem
Some will decry any report of a data leak, no matter how inconsequential it is. Such a hardline attitude is justified in situations where leakage is an ongoing issue. That’s not the case inside Microsoft 365. At least, I’m unaware of a systemic problem because I have not received any data privacy messages. Perhaps I’ve been missing things like data privacy messages in my message center.
Seriously, this is a minor example of a data leak. The next one might be more severe, and it might affect your tenant. That’s one good reason to keep a close eye on the messages posted by Microsoft. Maybe it’s worthwhile considering the creation of a scheduled task to monitor new messages (here’s how to use the Graph to grab message data) as they appear and highlight any that seem important, like those marked with the data privacy tag.
