Connect experience and privacy

Office includes client applications and integrated features aimed at improving your productivity in creation, communication, and collaboration. Collaborating on documents saved to OneDrive or converting a Word document’s text into another language exemplify these integrated experiences.

There are four main categories of connected experiences:

Microsoft privacy controls

Users who log in with a work or school account have the choice to utilize optional connected experiences provided. All data that is shared with Microsoft, is done so according to their Microsoft Services Agreement (https://www.microsoft.com/en-us/servicesagreement) and the privacy statement (https://privacy.microsoft.com/en-US/privacystatement). The privacy statement details how Microsoft processes personal data and the purposes for which it is done. The Microsoft Services Agreement constitutes a contract between the user and Microsoft (or an affiliate) that sets out the terms for using Microsoft’s consumer online products and services. By accessing or using these Microsoft products or services, users implicitly accept the terms of both the privacy and service agreements.

Therefore, it is advisable to consult with your legal department and obtain approval from senior management if there are particular business needs and requirements regarding these agreements.

A full overview of the services, that are covered by these agreements can be found here: https://www.microsoft.com/en-us/servicesagreement#serviceslist

In addition, if you are already using for example Windows devices, it might also be worthwhile to check what kind of data you are perhaps already sharing with Microsoft. As most organizations don’t realize that they are, by default, already sharing allot of information.  More information about the information shared using can be found here: https://privacy.microsoft.com/en-US/data-collection-Windows

Managing the connected experiences

Companies may be worried about their users’ privacy and the type of data shared with Microsoft. They might also have queries regarding Microsoft’s data protection measures.

As a solution, using policy settings allows you to manage these connected experiences. The settings let you enable or disable these services and can be implemented by deploying the settings across your organization.

It’s important to be aware that without specific configuration, all connected experiences will be available to your users, providing them with the full range of features offered by Microsoft 365 Apps for enterprise. However, we recognize you may need to deactivate some or all connected experiences to adhere to your company’s policies.

Manage via policies

The first option is to disable It via policy. These policy settings can be implemented by using either Group Policy or Cloud Policy. If you’re using Group Policy, you need to download the most current version of the Administrative Template files (ADMX/ADML) from the Microsoft Download Center.

Below is a summary of the relevant policy settings to adjust and links that offer additional information.

Connected ExperiencePolicy SettingURL
Disable/allow option for the level of diagnostics data sent to MicrosoftConfigure the level of client software diagnostic data sent by Office to Microsofthttps://learn.microsoft.com/en-us/microsoft-365-apps/privacy/manage-privacy-controls#policy-setting-for-diagnostic-data
Disable/allow option that analyzes contentAllow the use of connected experiences in Office that analyze content policyhttps://learn.microsoft.com/en-us/microsoft-365-apps/privacy/manage-privacy-controls#policy-setting-for-connected-experiences-that-analyze-your-content
Disable/allow option that downloads online contentAllow the use of connected experiences in Office that download online contenthttps://learn.microsoft.com/en-us/microsoft-365-apps/privacy/manage-privacy-controls#policy-setting-for-connected-experiences-that-download-online-content
Disable/allow optional servicesAllow the use of additional optional connected experiences in Officehttps://learn.microsoft.com/en-us/microsoft-365-apps/privacy/manage-privacy-controls#policy-setting-for-optional-connected-experiences
Disable/allow all servicesAllow the use of connected experiences in Officehttps://learn.microsoft.com/en-us/microsoft-365-apps/privacy/manage-privacy-controls

Be aware that various options exist for Windows, Mac, iOS, Android, and Office on the web, each requiring distinct settings. If you use multiple devices across these platforms, ensure to configure the settings on each one accordingly.

Device/platformURL
Windowshttps://learn.microsoft.com/en-us/microsoft-365-apps/privacy/manage-privacy-controls
Machttps://learn.microsoft.com/en-us/microsoft-365-apps/privacy/mac-privacy-preferences
iOShttps://learn.microsoft.com/en-us/microsoft-365-apps/privacy/ios-privacy-preferences
Androidhttps://learn.microsoft.com/en-us/microsoft-365-apps/privacy/android-privacy-controls
Office for the webhttps://learn.microsoft.com/en-us/microsoft-365-apps/privacy/office-web-privacy-controls

Manage via Purview labels

Alternatively, users have the option to block connected features when assigning a label to certain documents. This configuration in the settings allows for the prevention of data from being sent to Microsoft for content analysis, serving as a measure for privacy protection. Nonetheless, enabling this setting will restrict some intended functionalities, like Outlook’s data loss prevention policy tips, automatic and recommended labeling, and also impacts services like Microsoft Copilot for Microsoft 365. Although content with the configured sensitivity label will be excluded from Microsoft Copilot in the named Office apps, the content remains available to Microsoft Copilot for other scenarios. For example, in Teams, and in Graph-grounded chat in a browser.

To initiate this process, one must first establish a connection with the Security & Compliance PowerShell environment:                                                 https://learn.microsoft.com/en-us/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell

Subsequently, the ‘Set-Label’ command paired with the -AdvancedSettings parameter can be configured with “@{BlockContentAnalysisServices=”True”}” to activate the feature. For instance:

Set-Label -Identity “8fxyz7b8-8d20-65a3-8fr2-0f93420a848e” -AdvancedSettings @{BlockContentAnalysisServices=”True”}

To return the setting back to the default of sending the labeled content to Microsoft connected experiences for analysis, remove the setting or set the value to False.

In general, this would mean content that is labelled with a specific label is exempt from sharing data with Microsoft. Data that is not labelled with still be shared within the connected experience. One could for example argue that privacy sensitive data, should either receive a specific (sub)label or the highest sensitive data should always be excluded.

Auditing labels

There is also the option to audit label usage. This can be done via the content explorer, audit logs or activity explorer. This will help you to understand how these labels are being used within your environment. Next to that you can also integrate them with SIEM software, like for example Sentinel.

This will allow you for example to monitor labels that might be mis-used to circumvent the privacy blocking features in place, by for example lowering the classification of data.

In general

  • When introducing new settings, it’s crucial to conduct trials in a restricted and manageable setting to confirm they produce the intended outcomes before broadly applying these policy settings across your organization.
  • Disabling certain connected experiences will result in their corresponding ribbon or menu options becoming inactive or receiving error messages when attempting to access these features.
  • Nevertheless, turning off these connected experiences does not affect all Office functions. Capabilities such as syncing an Outlook mailbox or the functionality of Teams and Skype for Business persist. Additionally, there are fundamental services to the operation of Office that cannot be disabled, including the licensing service that verifies your legitimate use of Office.
  • Be aware that it’s possible to restrict the data shared with Microsoft. Nevertheless, achieving a balance among Security, Privacy, and Usability is an ongoing process that must be tailored to each business individually. No universal solution exists because every organization has unique legal and business needs.