Looking at Microsoft 365 Priority Accounts Again

Removing Puzzlement

Last month I reported my puzzlement about Microsoft’s announcement of priority accounts. I couldn’t figure out what value these accounts brought to the table, especially as they were targeted solely at tenants with more than 10,000 accounts with more than 50 active Exchange Online users.

My report was based on details in a Microsoft blog post. As it turns out, the post was incorrect, or at the very least, misleading. To be fair to Scott Schnoll, who wrote the post, it focused on mail flow monitoring, which is only one of the scenarios covered by priority accounts.

After my article appeared, Scott reached out to clear up the confusion and told me that a follow-up post was due. That has now been published and the value proposition of priority accounts is much clearer.

Priority Accounts for All Tenants

First, priority accounts are available to all tenants. A priority account is simply an account tagged as a VIP. The exact definition of what constitutes a VIP is entirely in the hands of a tenant. Once you know who those accounts are, you tag them by running the Set-User cmdlet (part of the Exchange Online management module). For example, here’s how to tag all the members of a Microsoft 365 group:

$Members = Get-UnifiedGroupLinks -Identity "Senior Leadership Team" -LinkType Members
ForEach ($Member in $Members) { # Mark each user as a priority account
   Set-User -Identity $Member.WindowsLiveId -Vip:$True }

To check that the users are marked as VIPs, run the Get-User cmdlet:

Get-User -IsVIP | Format-Table DisplayName, UserPrincipalName

DisplayName                   UserPrincipalName
-----------                   -----------------
Tony Redmond                  [email protected]
Ben Owens (Business Director) [email protected]
James Abrahams                [email protected]
Marc Vilas                    [email protected]

Oddly, while the Get-User cmdlet can return a list of priority accounts, none of the properties returned for an individual account is called VIP or Priority or anything similar. The cmdlet obviously uses invisible data. This might change in future.

Microsoft’s post says that you can also tag accounts through the Microsoft 365 admin center and the Exchange admin center. I can’t verify that this is possible because it depends on eligibility for the premium mail flow monitoring feature (see below), or 50 active Exchange Online users. In any case, tags can be managed through the Threat Management section of the older Office 365 Security and Compliance Center (Figure 1), which is how you configure them for the priority account protection feature.

Image 1 Expand
Office 365 Security and Compliance Center Tags
Figure 1: Managing priority users in the Office 365 Security and Compliance Center (image credit: Tony Redmond)


Differentiated Features for Priority Accounts

Now that we have some tagged users, what value will they get from their new priority status? The answer is that it all depends on what licenses your tenant has. The ability to tag priority users is a foundational capability rather than a feature in its own right. The idea is that development groups inside Microsoft can leverage priority users to make differentiated services functionality to those users, or rather, to people responsible for delivering high-quality service to the priority users.

The first two services are:

  • Premium mail flow monitoring (Exchange Online). Report mail flow issues for priority accounts to help tenants understand if any email problems exist for priority accounts which necessitate administrator action. The documentation says that this feature is only available to E3 or E5 tenants with more than 50 active Exchange Online users and 10,000 total accounts. The basic idea is that you’ll be advised when Exchange detects problems with mail flow to priority users. Although it’s nice to have a separate focus on these folk, I think that if a tenant is experiencing mail flow issues, every user will be screaming for help and the same fix will address all problems.
  • Priority account protection (Microsoft 365 Defender – ex-Advanced Threat Protection): Applying a higher level of protection to accounts likely to be targeted by attackers is a more compelling offer as the last thing you want is for an executive to fall foul of a business email compromise attack or other phishing attempts like the recent Office VoIP voicemail notification. The aim is to deliver early warning when priority accounts are being targeted by malware and other threats. This feature requires Microsoft 365 Defender and is enabled when people have Office 365 E5 or Microsoft 365 E5. To learn more, view this Ignite video.

Microsoft hasn’t said if third-party developers will be able to build integrated features to leverage priority accounts. It’s easy (with PowerShell) to retrieve the set of priority accounts and limit a feature in an ISV product to just those accounts, but we don’t know yet if these accounts will be exposed through the Graph API or if hooks will exist to allow interoperability with Microsoft features designed for priority accounts. I guess that information will come in time.

Hard to Call

It’s difficult to know if tenants will embrace priority accounts. Much depends on how many features are enabled by different development groups to deliver real and discernible value. The structure for priority accounts is there. Now it needs to be built on. We’ll just have to wait to see what product groups deliver.