Querying and updating report anonymization settings via the Graph API

Most of you are probably aware that Microsoft introduced an anonymization setting for the usage reports a while back. Toggling said setting, which you can find under the Microsoft 365 admin center > Settings > Org settings > Reports > Display concealed user, group and site names in all reports, will result in obfuscating identifiers for various object types, when represented in usage reports in the admin center, Graph API or other endpoints.

In the initial release, the setting could only be configured via the M365 Admin center UI. It took some convincing, but finally we have a way to query and update the setting value programmatically, by means of the /beta/admin/reportSettings endpoint. Currently, the only setting exposed under said endpoint is displayConcealedNames, which as the name suggests corresponds to the Display concealed user, group and site names in all reports setting in the UI. Apart from querying the current value, via a GET request, you can update the value by issuing a PATCH request. The permissions needed for the corresponding operation are ReportSettings.Read.All and ReportSettings.ReadWrite.All, respectively, with both delegate and application permissions supported.

Here are some examples on how to query and set the value of displayConcealedNames. I’ve skipped the “obtain token” part, as it can differ depending on the method used. As long as you have a valid token with the corresponding permissions, you should be able to run the below examples. To get the current value of displayConcealedNames, use a GET request against the endpoint:

$uri = 'https://graph.microsoft.com/beta/admin/reportSettings'
$Gr = Invoke-WebRequest -Headers $AuthHeader -Uri $uri
$result = ($gr.Content | ConvertFrom-Json)
$result

@odata.context displayConcealedNames
-------------- ---------------------
https://graph.microsoft.com/beta/$metadata#admin/reportSettings/$entity False

To update the value, issue a PATCH request with the corresponding payload:

$body = @{
"displayConcealedNames"= $true
} | ConvertTo-Json

$uri = 'https://graph.microsoft.com/beta/admin/reportSettings'
$Gr = Invoke-WebRequest -Headers $AuthHeader -Uri $uri -Method Patch -Body $body -ContentType 'application/json'

$Gr.StatusCode
204

We can also use the Microsoft Graph SDK for PowerShell. The current version (1.11.0) does not yet have a native cmdlet, but we can use the Invoke-MgGraphRequest cmdlet as a workaround. Here’s how to check the setting value with it:

Select-MgProfile beta
Invoke-MgGraphRequest -Method Get -Uri 'https://graph.microsoft.com/beta/admin/reportSettings'

Name Value
---- -----
displayConcealedNames True
@odata.context https://graph.microsoft.com/beta/$metadata#admin/reportSettings/$entity

And here’s how to update it:

Invoke-MgGraphRequest -Method PATCH -Uri 'https://graph.microsoft.com/beta/admin/reportSettings' -Body (@{"displayConcealedNames"= $false} | ConvertTo-Json)
Invoke-MgGraphRequest -Method Get -Uri 'https://graph.microsoft.com/beta/admin/reportSettings'

Name Value
---- -----
displayConcealedNames False

I’ll try to remember to update the post once a native cmdlet is available and when the endpoint matures to /v1.0 🙂

This entry was posted in Azure AD, Graph API, Microsoft 365, Office 365, PowerShell. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.