Last week, a cloud-related incident impacting the Australian education sector occurred, serving as an important reminder of the importance of staying on top of Microsoft 365 changes and the reality of the challenge faced by organisations in managing cloud-based evergreen technology.
The New South Wales Data Collection Incident: a Wake-Up Call for Organisations
Last week, a cloud-related incident impacting the Australian education sector occurred, serving as an important reminder of the importance of staying on top of Microsoft 365 changes and the reality of the challenge faced by organisations in managing cloud-based evergreen technology.
In March this year, Microsoft rolled out a new feature in Microsoft Teams that enabled voice and facial recognition capabilities, which consequently enabled data collection by default. Voice and face enrolment in Teams creates a profile for each participant in Teams meetings and enhances audio quality, reduces background noise and enables speaker identification in meetings through voice and face recognition. This new feature was communicated in the Microsoft 365 Message Center item MC912707 ‘Microsoft Teams: New policy for voice and face enrolment will default to ‘On’ (configure now)’, which was first published back in October 2024 and further updated in February of this year.
MC912707 message and summary in the ChangePilot Portal
Unfortunately for the IT Team at the department, this is just one of thousands of updates from Microsoft's Message Center and Roadmap services that are issued each year, and the feature wasn’t disabled resulting in students’ biometric data being collected by Microsoft for a whole month before the department became aware of the policy change. It is also not unreasonable to suggest that this is not the only case of this change being applied unchecked.
Within 24 hours of the department becoming aware of the voice and facial enrolment feature’s availability, they turned it off and deleted all voice and facial profiles. However, this has caused huge concerns for students and parents as despite the profiles being deleted and the feature being switched off, the question of how long Microsoft keeps that data and what it is used for remains.
On Microsoft’s website it states that if a user deletes their Teams account, the biometric data will be deleted within 90 days. however nerves have not yet been settled given the questions around the use and sharing of such data. Even if Microsoft delete the data, the question remains as to who else they shared it with in that 90-day period, demonstrating that once data is deleted, it doesn’t necessarily mean it is gone.
The Challenge of Managing Microsoft 365 Evergreen Change
This incident highlights a critical challenge that many organisations face: how to stay informed and prepared for changes in cloud services that could impact security, privacy and regulatory compliance.
With an average of 1500 Microsoft 365 Message Center items annually per tenant in 2024, the pace and scale of Microsoft 365 evergreen change is rapid, trending towards 100% increase in Message Center items in 2025 and a 64% increase in Roadmap items being launched.
Microsoft 365 Message Center Messages by Month in 2024
While these changes often bring improvements and new capabilities, they can also introduce unexpected risks, particularly as they are automatically enabled without clear notification or when organisations lack an effective process to filter, prioritise and manage these changes.
For educational institutions, healthcare providers, government agencies and businesses handling sensitive data, staying on top of these changes is an essential aspect of maintaining compliance and protecting stakeholder privacy.
The Critical Role of the Microsoft 365 Message Center
One of the most important tools for any organisation using Microsoft 365 services is the Microsoft 365 Message Center, situated within the Admin Center. This is Microsoft’s primary channel for communicating upcoming changes, new features and important updates to administrators.
The Message Center provides:
- Advance notifications about new features and updates
- Detailed information about changes that might impact your organisation
- Options to delay or manage the rollout of certain features
- Critical security and compliance information
Despite this, many organisations struggle to effectively monitor the M365 Message Center. Administrators are often overwhelmed with the volume of messages coming in, making it difficult to identify and prioritise the important updates. Without a systematic approach, critical notifications about features like the biometric data collection through voice and face enrolment in Microsoft Teams can slip through the crack, leading to negative experiences.
How to Stay Ahead of Microsoft 365 Changes and Remain Compliant
The NSW Education Department’s experience serves as an unfortunate but valuable lesson for all organisations. Automatic feature rollouts like the Teams biometric data collection in voice and face enrolment can happen at any time, and without robust change monitoring processes, they can go unnoticed until it’s too late. It is not unusual for Microsoft to release updates as ‘on by default’.
- Would your organisation have known about the new biometric data collection feature before it was enabled?
- Do you have processes in place to evaluate the privacy and compliance implications of new features?
- Do you have a systematic way to monitor Message Center updates across your busy IT team?
If you answered ‘no’ to any of these questions, your organisation could be at risk of encountering a similar situation.
This is where ChangePilot comes in – our solution is specifically designed to help organisations stay informed and prepared for changes in Microsoft 365 services.
Organisations need reliable systems to monitor, assess and manage these changes, especially when they involve sensitive capabilities like biometric data collection, which has consequences for privacy, security and regulatory compliance.
ChangePilot provides the solution organisations need to stay ahead of Microsoft 365 changes and avoid being caught unprepared. By implementing our process, you can ensure that your organisation avoids becoming the next headline about a company that has fallen foul to unexpected data collection or privacy concerns because of lagging behind on Microsoft’s fast-moving timeline.
For more information about ChangePilot and how we can help your organisation stay ahead of Microsoft 365 changes, read about our products or contact our team for a demonstration.
Comments