Complex organizations and insights

Complex organizations are Microsoft Azure Active Directory (AD) customers who use multiple Microsoft 365 or Office 365 tenants. The following two reasons are primarily why your organization has this type of configuration:

Mergers and acquisitions

A business merger between two companies resulting in an organization made up with multiple Microsoft 365 or Office 365 tenants and separate Azure ADs. The tenants either choose to remain separate and collaborate together or merge into a single tenant.

The following shows how mergers and acquisitions require the use of two tenants.

Screenshot that shows a diagram of two tenants.

Conglomerates

A conglomerate is a corporation made up of several independent subsidiaries. The subsidiaries are tenants that have separate Azure AD and will collaborate together and remain separate.

The concept of conglomerates is as follows.

Screenshot that shows different tenants in a conglomerate.

Purpose of this article

Complex organizations represent challenges for deriving insights. Often, the task falls to analyzing each of the tenants that make up the complex organization independently and comparing them manually. The process can be highly manual in nature. This article provides a growing number of examples that explain how to overcome manual processes. These examples also include those that lead to output visualizations.

Use Viva Insights

Microsoft Viva Insights provide information and research-based behavioral insights into how an organization gets work done:

  • Some examples of the works to get done are:

    • How to enhance organizational agility
    • How to boost employee engagement
    • How to improve agility
    • How to foster innovation

Advanced analytics for organizations comprised of multiple Viva Insights tenants can be enabled by:

  • Combining the data in a central location
  • Combining that data with other data sources

A few starter use cases that would be enabled by this data combination strategy are:

  • Identify collaboration patterns between two distinct business groups (tenants)

    Illustration of the collaboration patterns between two distinct business groups

  • Distinguish collaboration patterns between cross business groups (tenants) as compared to true external interactions.

    Illustration of distinctive collaboration patterns

  • Data combined from Viva Insights with external sources to address headcount planning, employee well-being, permanent remote work, inclusion and diversity, and so on.

    Illustration that shows data combined from Viva Insights with external sources.

There are different ways to create a data pipeline to copy data from the source to the destination. There are also different data storage locations that can be used, such as storage accounts, SQL databases, synapses, and so on. An example leveraging Azure data factory, Viva Insights organizational data, and Azure blob storage will be described in the following sections with a Business Continuity use case.

Preconditions

The following preconditions are to be fulfilled, prior to continuing with its analytical process using Microsoft Viva Insights:

Organizational data

Organizational data is a key requirement for Viva Insights and further advanced analysis. The organizational data relates to attributes such as employee's title, manager, group, level, and so on. The organizational data that is generally required is further described in Viva Insights prepare organizational data.

To enable advanced analysis, the following schema can be used in the file that is uploaded into Viva Insights:

Note

The schema should be the same between tenants.

Attribute Name Attribute Description
EffectiveDate Date for which the given attribute value applies for the employee. The attribute applies until another record for the same attribute with a different effective date is specified.
PersonId Unique identifier for the employee record. This identifier can be the employee's primary SMTP address or email alias. It must be in a simplified format that contains no spaces. For example, the format person.name@contoso.com is allowed; however, the format <Name, Person> (person.name@contoso.com) is not allowed.
ManagerId Unique identifier for the employee’s manager, which is needed to correctly calculate metrics for time spent with managers and their direct reports. This identifier can be the manager's primary SMTP address or email alias. It must be in a simplified format that contains no spaces. For example, the format person.name@contoso.com is allowed; however, the format <Name, Person> (person.name@contoso.com) is not allowed.
Organization The internal organization that the employee belongs to. An employee’s organization will be specific to the individual needs and could be identified by the leader of the organization, or by another naming convention. This data is needed to correctly calculate metrics for redundancy and insularity.
FunctionType The job function that the employee performs. This job function is specific to the organization. This data is used to filter and group reports, and for grouping of data in Explore the stats features.
LevelDesignation The employee’s level, which is represented as a string. This level is specific to the organization and can represent an employee’s experience or management level, or seniority within the organization. This data is needed to correctly calculate metrics for redundancy and insularity.
Layer The place where the employee is within the organizational hierarchy. Layer is represented as an integer and expressed as the distance the employee is from the top leader of the organization. For example, the CEO is at layer 0. This data is used to filter and group reports, and for grouping of data in Explore the stats features.
SupervisorIndicator The attribute used to view the habits of people managers or influencers in the organization in Power BI visualizations. This attribute powers the Overview table, the Workload charts that are generated when you use a template that requires this attribute. This attribute indicates the manager status of each employee as IC (individual contributor), Mngr (manager), or Mngr+ (manager of managers); however, if a different nomenclature is used in the file, you must update the Power BI chart filters accordingly. If you include SupervisorIndicator, you must also include the values IC, Mngr, or Mngr+ in the organizational data.
TimeZone Time zone in which the employee works. This attribute must be one of the time zones in Time zones for Workplace Analytics. If no time zone is mapped to for an employee, the system will use the default time zone, which is Pacific Standard Time.
TenantInd Unique name for the Tenant. For example, TenantA, TenantB, TenantC, and so on.
Location Geographic region or other location detail.
HashId Unique Hashed identifier for the employee. This attribute enables further advanced analysis on the Viva Insights query results.

With the schema in the above table being used in the file, the analysis output from the uploaded file can be joined with other data sources (for example, sales data and zoom data) for an advanced analysis.

Additional instructions for preparing organizational data for Viva Insights are available here.

Example: Sample of an organizational data file

Screenshot of a sample of a file that contains organizational data.

Viva Insights Business Continuity dashboard

Set up the Business Continuity dashboard for your tenant with the following modification:

  • In the Organizational data section of the Business Continuity and Hourly Collaboration report, add HashId and TenantInd columns to the list. More columns can be added for this report if needed, for analysis. The following shows what attributes to select: Screenshot of the Organizational data section of the Business Continuity and Hourly Collaboration report

Azure

For Ad hoc with OData and Automated Data Pipeline, you will need:

  • An application registration
  • Registered application's secret for each tenant from which you are planning to pull Viva Insights query results.

You will also need an Azure subscription to host the data from the two tenants.

  1. To register an application, accomplish Steps 1 to 5 in the Automate Exports for each tenant.
    1. To obtain a secret for the registered application, select Certificates & secrets from your newly registered application in Azure Active Directory.
      1. For Key authentication, select New client secret and in Add a client secret, enter a description, select when it expires, and select Add. In Client secrets, select the new secret value, and select the Copy icon to copy the value.
    2. Make a note of the Application ID and secret that are created for each tenant.
  2. In the case of Microsoft Azure subscription, perform the following steps:
    1. Deploy custom deployment from arm template.
    2. Configure the deployed resources.

The template creates the following resources:

  • Resource group
  • Key vault
  • Storage Account
  • Azure data factory using managed identity

(The example of a privilege that allows for creation of the above resources is Azure Administrator.)

Solution samples

The case of using query data from Viva Insights from multiple tenants, the following are a few sample solutions.

Ad hoc manual approach

Viva Insights queries can be executed and the output can be downloaded and further analyzed offline. This sample will be using the Business Continuity report listed in the Requirements section. There are no other pipeline setup requirements.

Illustration of the instance of ad hoc manual approach

Ad hoc using OData approach

Viva Insights queries can be scheduled to auto refresh and accessed via OData links to provide further analysis or to be visualized in PowerBi reports. This sample will be using the Business Continuity report listed in the Requirements section. There are no other pipeline setup requirements.

Illustration of the instance of ad hoc OData approach

Automated data pipeline

Viva Insights queries can be scheduled to auto refresh and downloaded to a central data store location for further analysis or visualizations. The solution sample uses Azure blob storage. This sample will be using the Business Continuity report listed in the Requirements section. The setup details are available here.

Illustration of the instance of automated data pipeline

Solution Sample Pipeline Setup

Data pipeline - Automated

  1. Download the DataFactory_OData_arm_template.json file from the Complex Organization sample solution in GitHub.

  2. Deploy the arm template for data factory creation for MultiTenant by performing the following steps:

    1. Launch the Azure portal for the subscription you want to use. Screenshot of the Azure portal home screen.

    2. Search for Deploy from a custom template in the search bar.

    3. After Deploy from a custom template is shown (under Services pane), select it. Screenshot that shows the deploy from a Custom Template option in Azure.

    4. Select Build your own template in the editor. The Edit template screen appears. Screenshot that shows the Edit template screen.

    5. Select Load file. Screenshot of the screen displaying the Load file option. The browser window is displayed.

    6. Navigate to the location that contains the downloaded DataFactory_OData_arm_template.json file and select Open.

    7. In the resultant screen, select Save. Screenshot of the screen where you save the file to upload it.

    8. Provide values for the highlighted items: Resource group, Region, Vaults_MTkvsecret_name, Storage Accounts_MTstorage_name, and Factory Name. Screenshot of Custom deployment screen, Basics tab, with values you need to fill in highlighted.

    9. Select the Review + create tab, and select Create.

  3. Grant access to the data factory managed service identity to the key vault and the storage account by performing the following steps:

    1. Launch the Data factory (V2) resource by clicking its link to obtain the managed service identity.
    2. Select Properties. The screen shows details for the chosen Data factory. Screenshot that shows the data factory Properties screen.
    3. Copy the value of the Managed Identity Application ID attribute.
    4. Navigate back to the screen of the resource group by selecting Overview, the Resources tab and the resource group name under it.
    5. Launch the Key Vault by clicking its link.
    6. Select Access policies in the left pane. Screenshot of the keyvault's Access policies screen.
    7. Select + Add access policy in the center of the screen. The Add access policy screen appears. Screenshot of the Add access policy screen.
    8. Add your own account by setting values, as follows:
      1. From the Configure from template drop-down list, choose Key, Secret, & Certificate Management.
      2. From the Select principal field, search for your ID, and once it is displayed, select it. Your ID is displayed under the Selected items pane. Screenshot of the Add access policy screen with the Principal side pane expanded, which shows searching for an ID.
    9. Select Add.
    10. Select Save in the upper-left of the screen. Screenshot that shows the Save option on the Access policies screen.
  4. Add the keyvault's secret permissions to the managed identity by performing the following steps:

    1. From the keyvault's properties screen (as the following shows), select Access policies in the left pane. Screenshot of the Access policies page with Access policies highlighted on the left bar.
    2. Select + Add access policy. The Add access policy screen appears.
    3. From the Secret permissions drop-down list, choose Get and List. Screenshot that shows selecting Get and List permissions from the Secret permissions field on the Add access policy screen.
    4. From the Select principal field, search for your ID, and once it is displayed, select it. Your ID is displayed under the Selected items pane. Screenshot fo the Add access policy screen that shows adding a principle for the data factory in the right pane.
    5. Select Add.
    6. Select Save in the upper-left of the screen.
  5. Grant Storage Account permissions to the Data Factory Managed Service Identity.

    1. Launch the resource group. The screen displaying details of the chosen resource group appears.
    2. Launch the storage account. The screen displaying details of the chosen storage account appears.
    3. Select Access Control (IAM) in the left pane. Screenshot of the Access control (IAM) section of the storage account.
    4. Select the Role assignments tab, as shown. Screenshot of the Access control (IAM) section of the storage account with Add role assignment selected on the Add dropdown.
    5. Select + Add and select Add role assignment. The Add role assignment screen appears.
    6. Select Storage Blob Data Contributor, and select Next. The role assignment screen
    7. Select the Members tab, and under Assign access to, choose the Managed identity radio button. Screenshot of the Add role assignment page, Members tab, with Managed identity radio button selected under Assign access to.
    8. Select + Select members in the center of the screen. The Select managed identities screen appears. Screenshot of the Select managed identities page with the fields Subscription, Managed identity, and Select.
    9. From the Managed identity drop-down list, choose Data factory (V2).
    10. Search for the Data factory name you defined in Data pipeline - Automated step 2h from the Select field.
    11. Select the Select option. The Add role assignment screen appears.
    12. Select the Review + assign tab, and select Review + assign at the bottom-left of the screen.
    13. Refresh the browser to view the Role assignments screen again, in which you can view the Data factory application you have just added. Screenshot of the Storage Blob Data Contributor section showing the data factory the user added earlier.
  6. Create a file named ODatasources.txt.

    1. Create a .txt file with the following comma-delimited schema for each OData source and the tenant reference information that will be stored in keyvault.

      Column name Description
      ODataurl OData URL from viva insights query
      tenantid Name of the secret in the Keyvault for the TenantID (aka omstenantid, aad tenantid)
      aadresource The aadresource for the OData
      servicePrincipal Name of the secret in the Keyvault for the application ID that will be used to access the OData URL
      secretName Name of the secret in Keyvault for the secret for the application ID that will be used to access the OData URL
      path OData path of the OData URL
      fileName Pre-fix name of the file

      Note

      The content in the .txt file will be a comma-delimited one. This content is built using the schema in the above table. This schema-based content is created for each OData source.

    A sample of the ODatasources.txt file is shown in the following graphic. This file contains details of two tenants, who are each assigned two sets of OData URLs they can govern. Each OData URL for a tenant uses the keyvault secret created specifically for that tenant.

    Screenshot that shows the content of the sample organizational data text file.

  7. Generate the secrets in Key Vault by performing the following steps:

    1. Launch the Key Vault.

    2. Select Secrets in the left pane, and select + Generate/Import. Screenshot of the Secrets screen with the Generate/Import option highlighted.

    3. Create the secrets using the names in the following table.

      Note

      The two examples after the table describe the process of creating a secret.

      Secret Name (based on the examples Tenant 1 and Tenant 2) Value description
      tenantid1 Azure AD TenantId for Tenant 1. Example: bd382938-yyyy-yyyy-yyyy-yyyyyyyyyyyy
      servicePrincipal1 Service Principal for tenant 1. Example: lld32e908-yyyy-yyyy-yyyy-yyyyyyyyyyyy
      MTWpaSecret1 Credential for servicePrincipal1 for tenant 1. Example: dsfUELk23r7912!#
      tenantid2 Azure AD TenantId for tenant 2. Example: bd382938-xxxx-xxxx-xxxx-xxxxxxxxxxxx
      servicePrincipal2 Service Principal for tenant 2. Example: hh2bd38d-xxxx-xxxx-xxxx-xxxxxxxxxxxx
      SPSecret2 Credential for servicePrincipal2 for tenant 2. Example: bjdIOLUE.j23iu2!#

    Example 1: This example provides a sample OData URL for each of the tenants, namely Tenant 1 and Tenant 2, in which the names of the secrets to be created are present.

    Tenant 1: In this example, the tenantid1, servicePrincipal1, and MTWpaSecret1 values are the secrets to be created in the keyvault.

    https://workplaceanalytics.office.com/2de6681a-42d5-46fa-a858-2660f5743815/scopes/e0d8d313-6075-4c25-b714-98843532ae61/jobsOData/a6ca4178-f30b-4c7a-8c8e-38f53fe1d2d0/GroupToGroup,tenantid1,https://workplaceanalytics.office.com,servicePrincipal1,MTWpaSecret1,GroupToGroup,GroupToGroup

    Tenant 2: In this example, the values tenantid2, servicePrincipal2, and SPSecret2 are the secrets to be created in the keyvault.

    https://workplaceanalytics.office.com/10c5ca3c-a4d2-424d-8af3-f0efd6c79c99/scopes/217c5147-e12b-448c-9672-25b79a9ec0f0/jobsOData/ae3270dc-ba5a-4c40-b6b9-81fd9b5a4eac/GroupToGroup,tenantid2,https://workplaceanalytics.office.com,servicePrincipal2,SPSecret2,GroupToGroup,WpAAIGroupToGroup

    Example 2: This example describes (in a pictorial form) the step involved in creating a secret, using the tenantid1 value from the Tenant 1 example.

Creating a secret

Screenshot of the Create a secret screen.

Created (the above) secret in the key vault

Screenshot of Secrets screen for the keyvault, which shows six created secrets that are Enabled.

  1. Upload the ODatasources.txt file to the storage account in the wpaexports container by performing the following steps:
    1. Launch the storage account. Screenshot of the storage account screen at the stage of OData file upload.
    2. Select Containers in the left pane. Screenshot of the containers screen where the user can select the container they created earlier.
    3. Select the container you created earlier in Data pipeline - Automated, step 2h. The screen displaying details/options in this container is displayed. Screenshot of the container page with the Upload blob left pane expanded.
    4. Select Upload to the right of the search bar. The screen displaying the uploaded file appears.

To set trigger for pipeline

A trigger can be created in the Azure data factory to execute the pipeline on a schedule. This schedule is dependent on the needs and the report granularity. For the Business Continuity, it is at a week grain. The minimum timeframe would be on a weekly basis, for example, every Tuesday.

Creation of a trigger for a pipeline is shown in the following graphic:

Screenshot of the new trigger screen with several fields, including Name, Description, Type, and scheduling options.

To execute the pipeline manually

  1. Launch the data factory created earlier, and select Open under the Open the Azure Data Factory Studio option in the Getting started pane.

    Note

    Data factory is the one created during deployment of arm template for data factory creation for MultiTenant.

    Screenshot that shows the Getting started pane with the Open option highlighted in the Open Azure Data  Factory Studio.

  2. Select Author in the left pane. Screenshot that shows the Data Factory screen with Author highlighted on the left pane.

  3. Expand the Pipeline pane and select CopyPipeline_MTBCDPipeline. Screenshot of the pipeline on the Factory resources page with Copy Pipeline_MTBCDPipeline on the left pane.

  4. Select Debug. The following illustrates a successful execution of a debug operation. Screenshot of the pipeline screen with Debug highlighted in the top ribbon.

    The output is available to view in the storage account in the container you created > rawdata1.

    Screenshot of the container screen that has rawdata1 and odatasources.txt under Name.

Visualize with PowerBi

Visualization with PowerBi can be implemented in many ways. PowerBi supports several data sources such as local storage, Azure blob storage, and OData sources.

The Business Continuity PBI report file can be used as an example of the following type:

  • A file that can be downloaded from Viva Insights and modified to support multiple tenants as data sources.

To download the report, you can download the PBI template for the Business Continuity report you executed as part of the preconditions.

Once you have downloaded the report and the data sources have been modified, the report can show visualizations across the two tenants. See the following for some example screenshots.

Example 1

To obtain an insight into the look of the report by a tenant, perform the following steps:

  1. In the Settings screen, from the Select an organizational attribute to view the report by drop-down list, choose the Tenant identifier attribute. Screenshot of the Settings screen in a Power BI report.
  2. Select one of the Power BI report pages. The following screenshot depicts one of the selected pages. Screenshot of a Power BI report page.

You can go with any number of settings combinations for different perspectives on the insights.

Example 2

To view the Tenant 1 organization insights, perform the following steps:

  1. In the Settings screen, from the Select an organizational attribute to view the report by drop-down list, choose Organization.
  2. Under the To filter employees, select the organizational attribute and values you would like to filter by pane, from the Organizational Attribute drop-down list, choose TenantInd.
    1. From the Select filter values drop-down list, choose one of the tenants. Screenshot of the Settings page of a Power BI report with Select filter values dropdown menu expanded and PublicDemo checked.
    2. Select one of the report pages. Screenshot of a report page in Power BI.