Microsoft Viva: View and moderate private community content without being a member

🚨 The Signal: Verified and Engage admins can now view and moderate private Viva Engage community content without being members. This enhances governance but increases the scope of administrative access to sensitive user communications.

The Impact

Admins gain new access to private community content, increasing data exposure risk if not properly managed.

• Security Teams: Increased risk of data exposure due to expanded admin access.
• Admins: New capabilities to view and moderate private content, requiring careful privilege management.
• End Users: Private communications are now accessible by a broader set of administrators.
• Compliance Teams: Need to review and update data access policies and privacy statements.

The Action

1. Review and update administrative roles with 'Verified Admin' or 'Engage Admin' permissions in Microsoft Entra ID.
2. Implement or refine access policies for Viva Engage administrators, ensuring least privilege principles are applied.
3. Communicate updated data access policies to end-users regarding private community content.
4. Audit existing Viva Engage communities for sensitive data that may now be exposed to admins.
5. Configure audit logging for admin access to private community content within Viva Engage.

Domain: Purview · Impact: high · Workload: Microsoft Purview · Essential Eight: Restrict Administrative Privileges · ISM: ISM-0445, ISM-1175, ISM-1380, ISM-1507, ISM-1508, ISM-1509, ISM-1647, ISM-1648, ISM-1650, ISM-1686, ISM-1688, ISM-1689, ISM-1883, ISM-1897, ISM-1898