Teams User Surveys Pose Privacy Concerns for Office 365 Tenants

MC187538

Sometimes I wonder about the decision-making process used by Microsoft development groups. What, for instance, is the logic behind the latest attempt to have direct contact with Office 365 users seen in Office 365 notification MC187538 posted on August 8, which tells us that Microsoft wants to use periodic pop-up surveys (Figure 1) to canvass the opinion of end users about Teams? Obviously I missed the importance of Office 365 roadmap item 54165 and its 52884 predecessor, which explain Microsoft’s eagerness to know how they’re doing with Teams.

Teams Survey
Figure 1: A Teams survey (image credit: Microsoft)

The answer, based on recent numbers, is “just fine,” at least if you measure success against Slack as the yardstick. But that’s not an excuse to ask users questions without tenant approval.

Feedback Policy

A Teams feedback policy can be assigned to user accounts to control if users are allowed to give feedback or participate in surveys. The New-CsTeamsFeedbackPolicy cmdlet is part of the Skype for Business Online module.

New-CsTeamsFeedbackPolicy -Identity "Tenant Bar Feedback Policy" -UserInitiatedMode Disabled -ReceiveSurveysMode Disabled
$Mbx = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Select DisplayName, UserPrincipalName
ForEach ($M in $Mbx) {
   Write-Host "Processing" $M.DisplayName
   Grant-CsTeamsFeedbackPolicy -PolicyName "Tenant Bar Feedback Policy" -Identity $M.UserPrincipalName }

If you want to allow users to give feedback to Microsoft while disabling surveys, set UserInitiatedMode to Enabled in the policy.

Previous Attempts to “Help” Office 365 Tenants

We’ve been down this road before with Microsoft proposals to give people helpful hints about how they might use Office 365, or to create Office 365 groups for managers and their direct reports, or insert unwanted transport rules to encrypt messages. All these proposals ran contrary to the basic promise that Microsoft makes on the Office 365 trust center when they tell tenants that “it’s your data” and that tenants “own your data and retain all rights, title, and interest in the data you store with Office 365.”

Well, you can’t own your own data if someone else keeps on trying to use that data for their own purposes. Knowing who has Office 365 accounts in a tenant is part of that data. Microsoft is obviously entitled to use the data for accounting purposes (otherwise they couldn’t report current active user numbers in their quarterly reports).

Microsoft and Office 365 Usage Data

Knowing what users do inside a tenant is also your data. Microsoft exposes some of the data that they gather (in abundance) to tenants in usage reports, Power BI usage packs, and the MyAnalytics and WorkAnalytics apps. ISVs also use data (with tenant approval) to generate reports for their products. But Microsoft accumulates much more data than is shared with tenants. Microsoft gathers the data in the Microsoft Graph and other databases for analysis by engineering groups to help identify product issues and improve functionality.

But so much data is gathered that Microsoft ran into heavy weather when the Dutch Government issued a DPIA in November 2018 that revealed some GDPR violations in the Office apps and Office 365. In March 2019, Microsoft responded with some additional privacy controls for the Office apps, but nothing much has changed in Office 365. At least, not that I can see.

And it now seems that Microsoft has people called “support ambassadors” reach out to tenant administrators because “our system detected that not all users are using the services included in your Office 365 subscription.” As MVP Paul Robichaux so eloquently points out, Microsoft would be better off fixing the sometimes awful Office 365 support instead of analyzing who’s using what service. Did anyone in Microsoft seek permission to use tenant usage data to create the basis for such a discussion?

Privacy is Important

The data that the Teams developers want to get through end user surveys is further grist to the privacy mill. Questions such as who will have access to the survey data, how will the data be used, how long will it be kept, and how Microsoft will protect user privacy need to be answered, not least to ensure that Microsoft satisfies its GDPR obligations. And no one has mentioned if tenants will get any feedback from responses given by their users, something that you’d imagine should happen to help tenants adjust their Teams deployment plans if necessary.

Overall, although tenants can control if users see these surveys, some work is needed to improve tenant access to whatever survey data is collected. Why should Microsoft know that users think a Teams deployment sucks dirty canal water while leaving tenant administrators in blissful ignorance?