Skip to main content
Buy
Contact Us
Login

Hidden Restricted Security & Compliance Messages in Microsoft 365 Message Center

Eve Mason
by Eve Mason
05 August 2025

Are you missing critical, hidden Microsoft 365 Message Center items?

The Message Center in Microsoft 365 is your organization’s window into upcoming feature releases, deprecations, policy updates, and service-impacting changes.

Microsoft use the Message Centre to give announcements across Microsoft 365, delivers them in a centralised feed, and lets admins stay ahead of changes that matter most to end users.

Many organisations are diligently reviewing their messages, not realising there are some messages they can't see, with no indication they are there.

Unknown to most, there is a specific type of Message Centre item that is hidden from the majority of administrators due to its sensitive nature. These restricted messages are only visible to users with the Global Administrator role or those assigned the Message Center Privacy Reader role. 

 

Which Microsoft 365 Message Centre messages are restricted?

Restricted messages typically deal with sensitive organizational data, user privacy, or regulatory commitments.

Microsoft gates visibility of these messages to ensure that only those with Global Administrator or Message Center Privacy Reader role can review and act on this information.

For instance:

  • Data Privacy Notices explain changes to Microsoft’s handling of customer data, updates to audit features, or new tools for GDPR compliance. These are visible only to global admins and privacy readers because they relate to data flows and legal obligations.

  • Customer Lockbox Requests require an admin’s approval before Microsoft support engineers can access tenant data. Notifications about these requests are reserved strictly for global admins to prevent unauthorized access.

  • Compliance and Security Updates, such as the rollout of new sensitivity labels or retention policies, may be marked as “admin impact” or “data privacy,” and shown only to authorized roles. These updates influence classification and data governance practices across the tenant.

  • Copilot and AI Data Handling Notices have emerged more recently as Microsoft expands AI services. Notifications about what content AI tools can access, exclusions from training, and privacy boundaries are often restricted for review by compliance stakeholders.

Message Center Permission Levels

Microsoft 365 uses Azure Active Directory roles to gate keep visibility in the Message Center. Here’s a breakdown:

Role Access Level Example Visibility
Global Administrator Full All message types, including GDPR notices and phishing alerts, data privacy updates, compliance changes, security advisories
Message Center Privacy Reader High (privacy-sensitive) All message types, including GDPR notices and phishing alerts, data privacy updates, compliance changes, security advisories
Message Center Reader Standard Feature roll-outs, deprecation notices, admin action reminders
Custom Roles (with specific privileges) Variable Tailored based on assigned message center privileges

 

How to Edit Permissions to give full visability

Message Center permissions can be changed on a user-by-user basis. The instructions below detail how to amend these privileges.

  1. Sign in to the Azure portal (https://portal.azure.com) with Global Admin rights.
  2. Navigate to Azure Active Directory > Roles and administrators.
  3. Search for “Message Center Privacy Reader,” “Message Center Reader,” or a custom role.
  4. Click the role name, then select Assignments > Add assignment.
  5. Choose the user or group, and confirm.
  6. To customize further, create a Custom Administrator role, add the “Message center reader” and/or “Message center privacy reader” permissions, then assign it.

These changes take effect almost immediately. After the update, your selected admins will see the revised set of messages in the Microsoft 365 admin center.

Never Miss an Important Message with ChangePilot

ChangePilot is a change management workflow tool providing concise summaries, additional context, and an operational workflow to help organisations efficiently manage the evergreen nature of Microsoft 365.

When tenant-connection is enabled, ChangePilot collects each tenant's unique Message Center (read-only).

When it comes to restricted items, the Microsoft Graph API skeleton metadata  includes category, published date, and a redacted summary

Below is an example of how restricted messages are displayed when delivered to an environment via ChangePilot Pro:

Message Title: Microsoft Forms Phishing Notification

Services: Exchange

Summary:

      • A Data Privacy message is available in Message Center for your organisation.
      • Access to this message requires a Global Administrator or designated Message Center Privacy Reader.
      • The message is categorized under 'Data privacy' and 'Prevent or fix issue', indicating it relates to known issues affecting your organization.
      • Administrators should be aware of the need to take action to avoid service disruption.
      • The change is significant for organizational compliance with GDPR.

ChangePilot will alert in Microsoft Teams when high-impact notices arrive and mark the item as high admin impact for the customer team to review. Your organization still controls who sees sensitive full details in the admin center.

To try ChangePilot, free, for six weeks, you can sign up for a trial. Or, to understand how you can supercharge your Microsoft 365 change management process, contact us for a demo of ChangePilot Pro.

 
Eve Mason
Post by Eve Mason
05 August 2025

Related Articles

Comments