Tenantry / docs / optimization report identity settings

date: 2026-05-04

Report Identity Settings and Concealed Names

This page explains how Microsoft 365 report identity settings affect optimization and what we recommend.

Recommendation

Disable concealed names in your tenant’s Microsoft 365 admin report settings. When concealed names are enabled, Graph usage reports replace real user principal names with obfuscated identifiers, which prevents the optimization engine from mapping activity data to individual users.

To change this setting:

1. Open the Microsoft 365 admin center.
2. Navigate to Settings > Org settings > Reports.
3. Uncheck Display concealed user, group, and site names in all reports.
4. Save.

The change takes effect on the next report refresh cycle (typically within 48 hours).

Why this matters

The optimization engine relies on user-level activity data from Microsoft Graph usage reports to classify seats as active, stale, or inactive. When report identities are concealed:

• Graph CSV exports contain hashed identifiers instead of user principal names.
• The engine cannot match report rows to tenant users.
• Confidence drops and automated recommendations are suppressed in favor of manual review.

This affects add-on removal recommendations most directly, but it also limits the quality of overlicensing candidate scoring and confidence calculations across all opportunity types.

How the product handles concealed identities

The product reads GET /v1.0/admin/reportSettings to detect the displayConcealedNames setting. Based on the result:

• Identities visible (displayConcealedNames: false): full user-level mapping is available. The engine can produce high-confidence, automated recommendations.
• Identities concealed (displayConcealedNames: true): the engine still ingests aggregate report data, but user-level mapping is limited. Add-on removal recommendations are kept at review_only and a banner surfaces the limitation on the Optimization and Settings pages.
• Setting unreadable (permission missing, unsupported endpoint, or transient failure): the engine proceeds conservatively, treating identity mapping as unverified. A banner explains the status and suggests granting ReportSettings.Read.All.

Permission requirements

Permission	Type	Purpose
Reports.Read.All	Application	Read Graph usage report CSVs for activity classification. Required for overlicensing reports.
ReportSettings.Read.All	Application	Read displayConcealedNames from admin report settings. Optional but recommended for diagnostics and guardrail accuracy.

If ReportSettings.Read.All is not granted:

• The product cannot confirm whether identities are visible or concealed.
• Optimization still runs, but the engine keeps add-on automation conservative by default until the setting can be verified.
• A banner on the Optimization and Settings pages indicates that report identity settings could not be verified.

Degraded capability notes

The optimization summary includes degraded capability notes when report identity settings are not fully available:

• permission_missing: the app lacks ReportSettings.Read.All. The note recommends granting the permission.
• unsupported_endpoint: the report settings endpoint is unavailable in this cloud environment (for example, national clouds). Concealed identity detection is not supported.
• transient_failure: a temporary Microsoft service issue prevented reading the setting. The next optimization run will retry automatically.

Impact on specific actions

• remove_addon: automatic removal is blocked when identities are concealed or unverifiable. See remove_addon details.
• review_only: concealed identities are an additional trigger for review-only fallback. See review_only details.
• remove_license and downgrade_license: these actions rely on the same underlying report data. Concealed identities reduce mapped-identity coverage, which lowers confidence and can push candidates toward review-only.