SharePoint 2016 – The Values of Hybrid, Cloud and on-prem

SharePoint 2016 – The Values of Hybrid, Cloud and on-prem

Hier das Video zu meinem Vortrag auf der Cloud and Datacenter Conference 2017 in München:

Delve and the Office Graph Inside Out Part II

In addition to my first post about the insides of Office Graph and Delve (Delve and the Office Graph Inside Out) this article is focusing on which signals are used by the Graph to generate the individual Delve experience.

Signals used by the Graph

You can find all the information you need about signals used by the Graph in this msdn article: https://msdn.microsoft.com/office/office365/howto/query-Office-graph-using-gql-with-search-rest-api

Based on this article we have the following Action Types:

• PersonalFeed
• Modified
• OrgColleague
• OrgDirect
• OrgManager
• OrgSkipLevelManager
• WorkingWith
• TrendingAround
• Viewed
• WorkingWithPublic

As you can see in the msdn article the list of signals can be dived in private signals and public signals so that data privacy is respected all the time:

https://msdn.microsoft.com/office/office365/howto/query-Office-graph-using-gql-with-search-rest-api#available-action-types

In addition Mark Kashman published an article on Microsoft techcommunity about Understanding security and privacy of Delve and intelligent experiences in Office 365. In this article, we can find the following diagram:

So we can extend the list taken from the msdn article to this aggregated version:

• PersonalFeed
• Modified
• OrgColleague
• OrgDirect
• OrgManager
• OrgSkipLevelManager
• WorkingWith
• TrendingAround
• Viewed
• WorkingWithPublic

• Member of
• Created by
• Shared with me
• Direct reports
• Public

Some of this signals are clear like for example Modified, Viewed, Created by, etc. some others are a little bit mystic like TrendingAround. We can imagine what TrendingAround means, but we cannot get an information about how this signal is processed in all details.

Anyway, it is easy to understand how this signals are used to generate the individual Delve experience.

The myth about the People suggestion in Delve

It is easy to imagine how content suggestions are generated based on signals. But one of the most asked questions about the Delve experience is about the difference between People list on the left and Related People in my personal Delve feet. Based on the signals list we can definitely get a better understanding about this. People on the left are other users we visited in Office 365 respectively we have clicked on their Delve profile. Related People are based on signals like “Member of”.

So for example if you are Member of

• Member of a Distribution List in Exchange Online
• Member of a Office 365 Group
• Member of the same Manger or “Direct Reports” entity

this is processed by the Graph to generate the Related People overview in your Delve feet.

As we can see also in this scenario data privacy and data security is respected by the Office Graph and Delve. If you are a “Member of” the same Distribution List or Office 365 Group, you can see all the other members anyway.

More details about this and also about compliance in Delve can be found in Mark Kashmans article “Understanding security and privacy of Delve and intelligent experiences in Office 365” I mentioned above.

Related articles:

• Delve and the Office Graph Inside Out
• All articles about Delve in my blog

Delve and the Office Graph Inside Out

Insides - Management - Compliance

While there exist many excellent blog posts, interviews and videos about Delve and the Office Graph from experts around the world, this post will be about Insides, Management, Compliance. We will also look at data security and data privacy aspects and concerns, not only from a technical perspective but also with regards to the new EU General Data Protection Regulation (EU Datenschutzgrundverordnung)

Insides

My experience with customers is that they need to understand more what the Office Graph is doing and how the results Delve is showing are build. I use in my sessions or in discussions with customers this picture from a Microsoft deck to explain a little bit the underlying fabric:

The Active Content Cache

•         Designed to enable near-real time updates at conversational speed (measured in seconds)
•          Contains most recently active items
•          Not designed to contain the full Tenant Graph, but rather the most likely to be relevant nodes and edges.
•          Every object has an expiration policy associated with it.

Tenant Graph Store

•          The full graph of all the nodes and edges within a tenant.
•          Optimized for analytics, not speed
•          Indexed to efficiently locate nodes and used to push nodes and edges into the Active Content Cache.
•          Because optimization decisions the latency of moving nodes and edges into the Active Content Cache cannot be guaranteed to be “conversational.”

Input Router

•         Directs the incoming edits to the Active Content Cache and Tenant Graph Store
•          Updates external applications regarding these edits
•          Powers the Conversational Experience

Workload Analytics

•         Specific to each workload, this is the piece responsible for reviewing local data and updating the Graph through the REST API. 
•         Only changes to the Active Content Cache or to Tenant Analytics are pushed by the API

Curios is that this is nothing you can change or configure. But to hear about the technology in the back gives customers a better feeling.

Management

I wrote a blogpost about how to switch to an opt-in like experience instead of the opt-out version. To be true this is only a workaround but customers like it. It gives them the changes to start with only some users in Delve to get more familiar with it. Opt-in as a default for Delve

If you don’t want a specific document to show up in Delve, you can create a HideFromDelve site column of the type Yes/No. This site column creates a new crawled property, ows_HideFromDelve, which is automatically mapped to the HideFromDelve managed property.

Compliance

We had an internal Yammer discussion with Mark Kashman about Delve Security & Privacy. Mark wrote the following statement and I asked him if this is good for sharing. Marks answer was: “Certainly OK to share the copy/paste'able section I wrote in the initial post of this thread.” So I will share this with you:

Delve is covered under the Office 365 Trust Center and meets all of the requirements of our highest level of compliance which Microsoft refers to as “Tier D” compliance, e.g., ISO 27001 and 27018 certification, SOC 1 and SOC 2 compliance. Delve is also licensed under the Microsoft standard Online Services Terms which include commitments such as the EU Model Clauses. This, too, applies to the Microsoft Graph - the underlying intelligent layer that uses advanced analytics to provide relevant, personalized insights via Delve and other user interface experiences throughout Office 365.

Office 365 customers own their Microsoft Graph data, which is stored in their partition of the SharePoint Online and Exchange Online environments. It, too, has the same data protection and security as other customer data stored in the same cloud services.

For users, Delve never changes any permissions on content or other information. Users only discover what they already have permission to see. Only users can see their private documents in Delve, unless they decide and take action to share them. Other people can't see each other's private activities, such as what documents they've read, what emails they've sent and received, or what Skype for Business conversations they've been in. Other people can see when others modify a document, but only if they have access to the same document. What you see when you open Delve is personalized to that user, and no one else sees exactly the same thing as they do.

It is possible to opt out of Delve and the Microsoft Graph at both the tenant level and the user level. Once opted out, users will not see the Delve tile in the Office 365 app launcher, and various services that surface aspects of the Microsoft Graph to provide intelligence throughout Office 365 will simply not appear, or revert back to previous non-Graph-based methods - i.e. search-based vs graph-based. One example, if you opt out, you would not see the new "Discover" tab within OneDrive for Business - yet the core of OneDrive for Business remains intact.

To learn more, please review these two important Delve security and privacy support articles; the first for admins and second for users: "Office Delve for Office 365 admins", "Are my documents safe in Office Delve?".

THX Mark!

Experts Inside South Africa Event

Experts Inside South Africa invites you to an an exclusive event to showcase and discuss some of the latest offerings from Microsoft in the Office 365 and Hybrid ecosystems. We’ll be looking at some of the newest and most exciting Office 365 product, Teams, as well as practical guidance to better managing and levering experiences in Delve, Search, the Office Graph and more.

These sessions will be presented by two of Expert Inside’s principle consultants and MVPs, Hilton Giesenow (South Africa) and Nicki Borell (Germany). We look forward to seeing you there! 

Enterprise Search

Many excellent blog posts, interviews and videos about SharePoint and Office 365 search, Delve and Office Graph certainly

exist. This session differs by showing real-world customer scenarios and solutions including the user stories, end-user and

decision maker perspectives and how Delve formed the primary component of an Office 35-based global Intranet. Topics

include data security and privacy aspects and concerns. 

Microsoft Teams

Nearly 2 decades of enterprise social and collaboration technologies from Microsoft have resulted in what looks to be the

company’s most powerful, intuitive, integrated and mobile-capable toolset. Only just in it’s first release (Nov 216) it already

rivals market leaders like Slack, even surpassing it in some areas. Is this the Slack killer some claim? Will it replace Yammer

altogether? In this session we’ll see how Teams works and address and discuss these and other topics.

PnP Partner Pack – Microsoft’s Free Provisioning, Branding and Governance Toolset

The Office 365 Patterns and Practices team comprises experts from around the globe, both within and external to Microsoft,

who provide guidance, tools, libraries and scripts to better provision and maintain Office 365 and on premises SharePoint

sites, lists, libraries and more. One of their recent projects, the PnP Partner Pack, packages many of these existing solutions

into a free turnkey solution to manage provisioning, managing, maintaining and governing solutions, branding, responsive 

design and other elements across SharePoint, Groups, Yammer and other Office 365 workloads. This session examines 

aspects these and other aspects like like self service site creation, site templates and governance automation.

Opt-in as a default for Delve

UPDATE: Sinc Jun 2017 this methode will not longer work!

Standard option for Delve in Office 365 is an opt-out option for each user. Details can be found in this Microsoft support article: Office Delve for Office 365 admins

A lot of scenarios with customers focusing on an option to not have Delve active per default for each user. In this scenario, an opt-in behavior for the end-users is the expected experience.

The high level requirements:

• Initially disable Delve for each and every enrolled O356 User
• For all new enrolled users Delve should be opt-out by defaul

This can be done disabling the access to the Office Graph in SharePoint Online Admin portal:

https://support.office.com/en-us/article/Office-Delve-for-Office-365-admins-54f87a42-15a4-44b4-9df0-d36287d9531b#bkmk_delveonoff 

To enable the access to Delve only for some users we can use the property “OfficeGraphEnabled” in the UserProfile Service of SharePoint Online.

Default this property is not set which result in Delve is visible for every user.

Using CSOM or CSOM with PowerShell we can set this property to “FALSE”. The result is:

• Every user sees Delve in his App Launcher in Office 365
• If he clicks on Delve he only gets his Delve profile page. No “Suggested People” or content cards etc. is shown
• The user can opt-in Delve on his own
• General access to the Office Graph must be enabled in this scenario

Doing this the result for the user looks like this:

Write and Get User Profile Properties in SharePoint Online with PowerShell

To Write and Get of User Profile properties in SharePoint Online via PowerShell with CSOM you can use that script: Script to Write and Get User Profile Properties in SharePoint Online with CSOM

Based on this the command to set the property OfficeGraphEnabled to FALSE is:

.\Set-SPOUserProfileProperty.ps1 -PropertyName OfficeGraphEnabled -AccountName %USERNAME%@%YOUR DOMAIN%.onmicrosoft.com' -Value "FALSE" -SPOAdminPortalUrl 'https://%YOUR DOMAIN%-admin.sharepoint.com' -UserName %ADMIN ACCOUNT%@%YOUR DOMAIN%.onmicrosoft.com -Password xxxxxxxxx

To avoid the users to opt-in Delve we can set the property “OfficeGraphEnabled” in the UserProfile Service of SharePoint Online to “cannot be edit by user”.

Doings this the user cannot opt-in Delve on his own to see “Suggested People” or content cards etc. Only a Admin can opt-in Delve for the users.

NOTE that Delve and the Office Graph is based on user interaction with content and other people in the Office 365. So if only some users use it the results can be disappointing.