Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!
Exchange Online|Office|Office 365

Looking at Microsoft 365 Priority Accounts Again

Removing Puzzlement

Last month I reported my puzzlement about Microsoft’s announcement of priority accounts. I couldn’t figure out what value these accounts brought to the table, especially as they were targeted solely at tenants with more than 10,000 accounts with more than 50 active Exchange Online users.

My report was based on details in a Microsoft blog post. As it turns out, the post was incorrect, or at the very least, misleading. To be fair to Scott Schnoll, who wrote the post, it focused on mail flow monitoring, which is only one of the scenarios covered by priority accounts.

After my article appeared, Scott reached out to clear up the confusion and told me that a follow-up post was due. That has now been published and the value proposition of priority accounts is much clearer.

Priority Accounts for All Tenants

First, priority accounts are available to all tenants. A priority account is simply an account tagged as a VIP. The exact definition of what constitutes a VIP is entirely in the hands of a tenant. Once you know who those accounts are, you tag them by running the Set-User cmdlet (part of the Exchange Online management module). For example, here’s how to tag all the members of a Microsoft 365 group:

$Members = Get-UnifiedGroupLinks -Identity "Senior Leadership Team" -LinkType Members
ForEach ($Member in $Members) { # Mark each user as a priority account
   Set-User -Identity $Member.WindowsLiveId -Vip:$True }

To check that the users are marked as VIPs, run the Get-User cmdlet:
Get-User -IsVIP | Format-Table DisplayName, UserPrincipalName

DisplayName                   UserPrincipalName
-----------                   -----------------
Tony Redmond                  [email protected]
Ben Owens (Business Director) [email protected]
James Abrahams                [email protected]
Marc Vilas                    [email protected]

Oddly, while the Get-User cmdlet can return a list of priority accounts, none of the properties returned for an individual account is called VIP or Priority or anything similar. The cmdlet obviously uses invisible data. This might change in future.

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

Microsoft’s post says that you can also tag accounts through the Microsoft 365 admin center and the Exchange admin center. I can’t verify that this is possible because it depends on eligibility for the premium mail flow monitoring feature (see below), or 50 active Exchange Online users. In any case, tags can be managed through the Threat Management section of the older Office 365 Security and Compliance Center (Figure 1), which is how you configure them for the priority account protection feature.

Image 1 Expand
Figure 1: Managing priority users in the Office 365 Security and Compliance Center (image credit: Tony Redmond)

 

Differentiated Features for Priority Accounts

Now that we have some tagged users, what value will they get from their new priority status? The answer is that it all depends on what licenses your tenant has. The ability to tag priority users is a foundational capability rather than a feature in its own right. The idea is that development groups inside Microsoft can leverage priority users to make differentiated services functionality to those users, or rather, to people responsible for delivering high-quality service to the priority users.

The first two services are:

  • Premium mail flow monitoring (Exchange Online). Report mail flow issues for priority accounts to help tenants understand if any email problems exist for priority accounts which necessitate administrator action. The documentation says that this feature is only available to E3 or E5 tenants with more than 50 active Exchange Online users and 10,000 total accounts. The basic idea is that you’ll be advised when Exchange detects problems with mail flow to priority users. Although it’s nice to have a separate focus on these folk, I think that if a tenant is experiencing mail flow issues, every user will be screaming for help and the same fix will address all problems.
  • Priority account protection (Microsoft 365 Defender – ex-Advanced Threat Protection): Applying a higher level of protection to accounts likely to be targeted by attackers is a more compelling offer as the last thing you want is for an executive to fall foul of a business email compromise attack or other phishing attempts like the recent Office VoIP voicemail notification. The aim is to deliver early warning when priority accounts are being targeted by malware and other threats. This feature requires Microsoft 365 Defender and is enabled when people have Office 365 E5 or Microsoft 365 E5. To learn more, view this Ignite video.

Microsoft hasn’t said if third-party developers will be able to build integrated features to leverage priority accounts. It’s easy (with PowerShell) to retrieve the set of priority accounts and limit a feature in an ISV product to just those accounts, but we don’t know yet if these accounts will be exposed through the Graph API or if hooks will exist to allow interoperability with Microsoft features designed for priority accounts. I guess that information will come in time.

Hard to Call

It’s difficult to know if tenants will embrace priority accounts. Much depends on how many features are enabled by different development groups to deliver real and discernible value. The structure for priority accounts is there. Now it needs to be built on. We’ll just have to wait to see what product groups deliver.

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for Petri.com and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with change in the cloud.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.

RSVP Now

Sponsored By