Last Update: Sep 04, 2024 | Published: Jan 04, 2021
Last month I reported my puzzlement about Microsoft’s announcement of priority accounts. I couldn’t figure out what value these accounts brought to the table, especially as they were targeted solely at tenants with more than 10,000 accounts with more than 50 active Exchange Online users.
My report was based on details in a Microsoft blog post. As it turns out, the post was incorrect, or at the very least, misleading. To be fair to Scott Schnoll, who wrote the post, it focused on mail flow monitoring, which is only one of the scenarios covered by priority accounts.
After my article appeared, Scott reached out to clear up the confusion and told me that a follow-up post was due. That has now been published and the value proposition of priority accounts is much clearer.
First, priority accounts are available to all tenants. A priority account is simply an account tagged as a VIP. The exact definition of what constitutes a VIP is entirely in the hands of a tenant. Once you know who those accounts are, you tag them by running the Set-User cmdlet (part of the Exchange Online management module). For example, here’s how to tag all the members of a Microsoft 365 group:
$Members = Get-UnifiedGroupLinks -Identity "Senior Leadership Team" -LinkType Members ForEach ($Member in $Members) { # Mark each user as a priority account Set-User -Identity $Member.WindowsLiveId -Vip:$True }
To check that the users are marked as VIPs, run the Get-User cmdlet:
Get-User -IsVIP | Format-Table DisplayName, UserPrincipalName DisplayName UserPrincipalName ----------- ----------------- Tony Redmond [email protected] Ben Owens (Business Director) [email protected] James Abrahams [email protected] Marc Vilas [email protected]
Oddly, while the Get-User cmdlet can return a list of priority accounts, none of the properties returned for an individual account is called VIP or Priority or anything similar. The cmdlet obviously uses invisible data. This might change in future.
Microsoft’s post says that you can also tag accounts through the Microsoft 365 admin center and the Exchange admin center. I can’t verify that this is possible because it depends on eligibility for the premium mail flow monitoring feature (see below), or 50 active Exchange Online users. In any case, tags can be managed through the Threat Management section of the older Office 365 Security and Compliance Center (Figure 1), which is how you configure them for the priority account protection feature.
Now that we have some tagged users, what value will they get from their new priority status? The answer is that it all depends on what licenses your tenant has. The ability to tag priority users is a foundational capability rather than a feature in its own right. The idea is that development groups inside Microsoft can leverage priority users to make differentiated services functionality to those users, or rather, to people responsible for delivering high-quality service to the priority users.
The first two services are:
Microsoft hasn’t said if third-party developers will be able to build integrated features to leverage priority accounts. It’s easy (with PowerShell) to retrieve the set of priority accounts and limit a feature in an ISV product to just those accounts, but we don’t know yet if these accounts will be exposed through the Graph API or if hooks will exist to allow interoperability with Microsoft features designed for priority accounts. I guess that information will come in time.
It’s difficult to know if tenants will embrace priority accounts. Much depends on how many features are enabled by different development groups to deliver real and discernible value. The structure for priority accounts is there. Now it needs to be built on. We’ll just have to wait to see what product groups deliver.