(Updated) Microsoft 365: Enrich profile cards with custom properties from third-party systems

🚨 The Signal: Microsoft 365 profile cards can now display up to 10 custom properties from external HR systems. This enriches user profiles but introduces new data exposure vectors if not configured securely.

The Impact

Admins are affected by new configuration options, with a security risk of unintended sensitive data exposure.

• Admins: Must carefully select and configure custom properties to prevent oversharing.
• Security Team: Needs to validate data sources and property visibility settings to mitigate data leakage.
• End Users: May see more comprehensive, but potentially sensitive, information on profile cards.

The Action

1. Identify sensitive data in potential custom properties from external HR systems.
2. Determine which custom properties are genuinely necessary for profile card display.
3. Plan visibility and display names for each custom property, adhering to data minimisation principles.
4. Configure custom properties in Microsoft 365 admin center: Settings > Org settings > People settings > Profile > Person info on profile cards.
5. Regularly review configured custom properties and their visibility settings.

Domain: Exchange · Impact: medium · Workload: Exchange Online