Favorite your Message Center and Roadmap items. Access them anytime via your Profile. Export and share with your team or your LLM.

Microsoft Viva Insights: New Microsoft Entra security groups created by the service

Message ID
MC1325412
View in Message Center
Service
Microsoft Viva
Category
Stay Informed
Tags
Feature updateUser impactAdmin impact
Rollout
June 2026

Summary

Viva Insights will replace its list-based role access with Microsoft Entra security groups for Chief Officer and Group Manager roles, improving security and consistency. Up to four service-managed groups per tenant will be auto-created and synced without admin action. No new permissions or manual edits are allowed. Rollout occurs mid to late June 2026.

Details

[What and Why:]

Viva Insights is taking steps to strengthen security for our customers. As part of this effort, access to the Insights app will now be implemented using Microsoft Entra–based authorization, replacing the previous list‑based solution. This aligns Viva Insights with standard Microsoft 365 authorization practices and improves consistency and manageability.

These groups represent roles the service already uses internally (Chief Officer, Chief Officer Delegate, Group Manager, Group Manager Delegate). No admin action is required. We're sharing this notice so your security and identity teams recognize these groups when they appear in your directory.

[Rollout Schedule:]

  • We will begin rolling out in mid-June 2026 and expect to complete by late June 2026.

[Impact on Your Organization:]

Who is affected:

  • Organizations using Viva Insights or Copilot Dashboard

Platforms/Services:

  • Viva Insights
  • Copilot Dashboard
  • Microsoft Entra ID

What will happen:

  • Viva Insights will transition role membership for Chief Officers, Group Managers, and their delegates from the Viva Insights service database to Microsoft Entra security groups, consistent with Microsoft 365.
  • For each tenant, up to four security groups may be created on demand, one per role:
    • Chief Officer
    • Chief Officer Delegate
    • Group Manager
    • Group Manager Delegate
  • Groups are created just in time, only when the corresponding role is first used.
  • Groups are owned by the Viva Insights (Workplace Analytics) service principal.
  • Membership is populated and refreshed automatically by the Viva Insights service.
  • No new privileges are granted.
  • Customers may notice one or more new groups with names starting with VivaInsights_ in the Microsoft Entra directory.
  • Group descriptions indicate that these groups are service‑managed, used internally for service authorization, and should not be deleted.
  • Group names are consistent across tenants to support easy identification and documentation.
  • The groups include only users who already hold the corresponding Viva Insights role in the tenant.
  • Manual edits to group membership will be overwritten during the next sync.
  • If a group is deleted, Viva Insights will recreate it automatically the next time it is needed.
  • These groups will not be used for access enforcement until rollout is complete and this notice has been published. Until then, the groups exist for sync and validation only and do not affect access to Viva Insights or Copilot Dashboard.

[Action Required / Recommendations:]

No action is required.

We recommend that admins:

  • Inform security and identity teams that VivaInsights_* groups are expected and service‑managed.
  • Leave these groups in place; they are required for future access enforcement.
  • Avoiding manual edits to group membership, since changes will be overwritten by the next sync. 
  • Update internal documentation or monitoring rules to prevent false‑positive alerts.

Frequently asked questions:

  • Why do I see a group named VivaInsights_Chief_Officer (or similar)? This Microsoft Entra security group mirrors existing Viva Insights role assignments. The group itself does not grant new permissions.
  • Will any user gain access they didn’t have before? No. Group membership reflects current Viva Insights role assignments only. No new access is created.
  • Can admins manage these groups manually? No. These groups are service-managed and owned by the Viva Insights service principal. Manual membership changes will be overwritten during the next sync cycle.
  • What happens if a group is deleted? If a VivaInsights_* group is deleted, Viva Insights will recreate it automatically the next time the corresponding role is needed. No data is lost.
  • Are these groups used for access enforcement today? Not yet. During rollout, the groups exist for sync and validation only and will be used for enforcement after worldwide rollout is complete and this notice is published.
  • What permissions does Viva Insights have in my directory? Only the permissions required to create and maintain these specific security groups, scoped to the Viva Insights service principal.

[Compliance considerations:]

Compliance AreaExplanation
Conditional Access policiesRoles will eventually be enforced using Microsoft Entra security groups, aligning Viva Insights with standard Entra-based access controls.
Admin control via Entra ID groupsAccess enforcement will use service‑managed Entra ID security groups owned by the Viva Insights service principal.


Change History

Show
Published: May 28, 2026
Last Updated: May 28, 2026
No change history available

Never Miss a Microsoft 365 Update

Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.

Explore Dashboard Sign Up Free