The purpose of this document is to provide you with some tools and/or explanations to common problems with the Lifecycle Insight Microsoft 365 integration. Here the areas that our partners generally have questions about:
- De-identified / Random data in the User List
- User Level MFA data missing or Errors in Sync Logs
- Old/Stale MS 365 data in the User List
De-identified / Random data in the User List
One of the most common problems we see is that MS 365 data in the User List shows as de-identified GUIDs (IE. random numbers and letters). Here is an example:
The data is coming across de-identified because of a setting in Microsoft. On August 30th, 2021 Microsoft introduced a subtle change to their default settings related to privacy. Specifically, they have introduced a setting by default that will de-identify user data in their Usage Reports. Meaning, instead of sending legitimate emails and names, they are sending a random string of data.
** This change not only impacted LCI, but also impacts all vendors that use the Reports API, as well as the Microsoft Usage reports themselves in the MS365 Admin Center.
At LCI, we issue API calls that use the same endpoints as Microsoft's Usage Reports do. This means that by default, the users we pull from Microsoft are showing as the de-identified data in the User List (as opposed to their email address and name).
Microsoft has published an article regarding this topic. To have real user information come across to LCI, you will need to review this article and make the setting change to ensure that identifiable data can be shown.
This setting change is at the tenant/customer level. So it will need to be made for each tenant/customer you want us to pull Microsoft information for.
**** For those users that are proficient at powershell, there are articles that discuss how to update this setting programmatically. One such article is from Kelvin @ Cyberdrain (super smart guy). This is not an LCI resource, so please decide to use/not use at your own discretion. Here is the link.
Update:
It has come to out attention that the instructions included in the post (referenced above) from Microsoft may not be accurate for all Microsoft partners. Specifically, to change this setting you might need to:
1. Go to MS 365 Admin Center for each tenant
2. Click on Settings Org Settings
3. Click on Reports
4. UNCHECK 'Display concealed user, group and site names in all reports'
Please note that Microsoft changes interface frequently. Screenshots may reflect different versions.
Note: Once this change is made, you will need to initiate a sync from LCI to Microsoft to see updated data. Sync will automatically occur at night if you do not run one on-demand.
User Level MFA Data is Missing or Errors in Sync Logs
As part of the our Microsoft 365 integration, we will attempt to pull user level MFA data to display in the User List Report. Specifically, we will try to pull MFA Registration Status and any associated MFA Authentication Methods. See below:
It is important to note that Microsoft will only provide this information over it's API if certain requirements are met. Those requirements are listed below:
- The Microsoft tenant (IE Your customer) must have an Azure AD Premium P1 or P2 License
- The Microsoft tenant (IE Your customer) must implement modern MFA with Conditional Access Policies configured. For more information from Microsoft on this, please click here.
Microsoft will send back an error code in the API call used for our sync process if the 1st requirement is not met. If Microsoft does send back an error code (again, meaning that the Microsoft tenant does NOT have Azure AD Premium P1 or P2 license), you will be able to tell by one of three ways.
#1: The Microsoft 365 MFA Status and Microsoft 365 Authentication Methods columns in the User List will NOT be displayed.
#2: In Data Sync Manager, you will see an error that looks like this for your client:
#3: In Administration Integrations Microsoft 365 Log/Sync tab, you will see an error like this for Area: User Level MFA Data (User List)
Note: We have seen that if you did not have the necessary license requirements (Azure AD P1 or P2), and later add it...that it can take Microsoft up to 1 week to start sending the MFA data over their API.
Old or Stale Data is Showing in the User List
The Microsoft Reporting APIs that we use to populate the MS 365 columns in the user list do not return up to date / live data. Instead, the data returned is typically 1-7 days old. Note that this is not only true for LCI, but it also true for MS365 User Activity Reports inside Azure Portal as well.
To help identify what date the Microsoft data is reflective of, Microsoft returns a last refresh date in their API. In Lifecycle Insights, you can view the Last Refresh Date in the banner bar of the User List report.
The report above was generated on May 13th, 2022. However, you can see in the highlighted box that we are showing that the Last Refresh date is May 11th, 2022. So in this case, the Microsoft API was returning data that was 2 days old.