low-angle photography of metal structure

Are profile cards in OWA a compliance issue?

When you regularly talk to works councils and data protection officers about Microsoft 365, you always come across some pretty exciting topics. For me, that always means researching and considering a strategy. Now I’ve stumbled across a topic again that I hadn’t thought about at all. In the Outlook Web App (OWA), there are so-called profile cards that could apparently be a compliance issue, if it makes it one. Let’s take a look.

What are profile cards?

Profile cards are callable boxes that tell me a lot about my contact or colleagues. A lot of the information is what is already in the company address book and can be found as attributes in Active Directory or Azure Active Directory.

How do you access it? Log in to https://portal.office.com and switch to the Outlook app. If you move the mouse pointer over the profile picture of one of your colleagues (without clicking), a small info box opens with the contact details. If you then click on “Show more”, this big profile card opens, which tells you even more. A lot more.

This profile card contains various additional information that works councils in particular might regard as “critical”. Why? A key term here is once again “behavioral control”. The problem here is probably not the display of who the supervisor is. But rather the block “Works with…”. Here, 12 employees are listed with whom the person works. According to my research, this has been an issue in relevant forums for a good two years.

“Works with…” is not hideable

The fact is: you can’t turn off this part of the box. Microsoft has done quite a bit in connection with this profile card – you can add and also remove custom AD attributes via Graph API. But it is this metadata that cannot be hidden. So if you have a “problem with it”, you have to find another workaround.

Turn off OWA

Sounds radical, doesn’t it? Yes, I think so, too. And actually, it shouldn’t be the goal. Because basically, you’re ruining the benefits of the cloud that way. But since certain information cannot be hidden at this point, that would be the only way to avoid tempting anyone to use it to control behavior.

Company agreement

If the works council has problems with this issue, but does not want OWA to be switched off, then there is still the option of a works agreement. If you roll out Microsoft 365 on a large scale, you won’t be able to avoid a works agreement anyway. And in connection with the profile card, the situation is similar to that with the Delve application. Here, too, metadata can be viewed – for example, who last worked on which file. Quite a few have stipulated in the company agreement that such metadata will not be used to monitor behavior.

Really a problem?

In order to clarify this question, one must know where this information actually comes from. Microsoft is transparent in this regard and explains in its documentation that this is “public information within the organization”. Examples are also given:

  • General groups
  • Distribution lists
  • shared Outlook calendar events
  • and reporting structures.

So it would be primarily sources that might be searchable by everyone anyway, if that’s what they were going for. In no way a confidentiality book will take place here. Thus, not such names appear, with which exclusively personally and privately by mail or chat was communicated.

I could easily understand this with colleagues. For example, I have a morning appointment with colleagues with whom I otherwise have little or no contact in my day-to-day work. These people do not appear on my profile card. But those with whom I work very closely in teams do.

What is also not mentioned in the profile cards is the context of my collaboration with the respective people. In other words, no projects, no specific topics. The block “Works with…” is therefore free of evaluation and any “critical” additional information. According to my personal profile, the information is not even really up-to-date. There are employees who have not even worked for the company for some time, but whose accounts are apparently still there.


If you implement Microsoft 365, you have to talk to the works council. That’s important, and that’s also good. On the list of things to talk about, the point about profile cards is now a new addition for me.

However, I still do not see this critically. Metadata is generated – “then” as now. It’s just that some things are presented more transparently in the cloud. So you need a paragraph in a company agreement stating that such metadata will not be used to monitor behavior. And in the end, this covers all the supposed possibilities for doing so.

Published by Sascha

Cloud Solution Architect for Microsoft 365 with a soft spot for data protection and security. In addition, always an eye on the no less important topics of Change & Adoption.
%d bloggers like this: