Microsoft Viva and the Viva apps work with and integrate into Microsoft 365. This means that the Microsoft 365 security capabilities—like role-based access, identity and app management, and others—apply to Microsoft Viva. The Viva apps can also use specific settings and policies of the apps that Viva interacts with. For example, while all users can access Viva Learning in Microsoft Teams by default, you can use app permissions policies in Teams to allow or block access for specific users.
Before setting up Microsoft Viva, consider the following security recommendations:
Protect data by implementing appropriate access controls and role-based access controls so only authorized users have access to certain data and features. Use Microsoft Entra ID to handle user authentication and authorization.
Provide another layer of security for users by setting up multifactor authentication (MFA).
Make sure that you have a plan for incident response to tackle any security breaches that may occur.
Note
All the scenarios and suggestions provided are general in nature and may vary depending on the type of business and organization. It's important to consult with security experts and conduct your own risk assessments to ensure that you have adequate security measures in place for your specific environment.
In addition to the security capabilities available to Microsoft Viva through Microsoft 365, SharePoint, and Teams, each app has its own security controls and considerations.
Viva Amplify
Viva Amplify uses SharePoint and Microsoft 365 roles to control access and security of your content.
Viva Connections integrates your organization's SharePoint intranet into Microsoft Teams, providing employees with relevant news, information, and resources accessible from desktop or mobile devices.
Security for Viva Connections is largely inherited from Microsoft 365, SharePoint, and Teams. For example, if you configure Viva Connections to include content from Viva Engage in the Feed, your users only see community content from the Engage communities that they already have access to.
Important
This applies to content and cards sourced from Microsoft apps.
The admin tools in Viva Engage help protect your Engage data and determine who can access your Engage network, along with controlling access, managing users, providing secure access on mobile devices via Microsoft Intune, assigning roles, and limiting file uploads. The Engage admin can set up and configure Engage for your organization and manage data, network-related settings, and the various core or premium features within the application. To make someone an Engage admin, make them an Viva Engage administrators in Microsoft Entra ID.
Microsoft Glint is a people-driven platform that provides visibility into the health of your organization and guides effective action.
This happens through the analysis of Microsoft 365 collaborative data and organizational (HR) data that you provide or that's used in Microsoft Entra ID.
Because of the potential sensitivity about how data could be used, Viva Glint uses role-based access to control who has access. Learn about assigning roles for viewing feedback in reporting.
Viva Goals
Microsoft Viva Goals is a goal-alignment solution that connects teams to your organization’s strategic priorities, unites them around your mission and purpose, and drives business. For information about security in Viva Goals, see Viva Goals security, privacy, and compliance.
Viva Insights
Microsoft Viva Insights produces useful insights about how your organization and employees function by analyzing Microsoft 365 collaboration data and organizational (HR) data that you provide or that's used in Microsoft Entra ID.
Because of the potential sensitivity about how data could be used, Viva Insights uses role-based access to control who has access.
The Personal Insights feature is built on Microsoft Graph, which includes a set of REST-based API calls that enable developers to interact with the Microsoft technologies used by your organization. To use these API calls, developers must have specific permissions to access any data they request. Admins control both the deployment of any Microsoft Graph application and permissions to access these applications. You can’t turn access to Microsoft Graph on or off globally in the Microsoft 365 Admin Center; instead you can achieve the same effect by blocking employees’ ability to install third-party apps or by restricting developer access permissions. For more information, see Microsoft Graph and Microsoft Graph security API.
Viva Learning is a centralized learning hub in Microsoft Teams that brings in content from different sources including Microsoft Learn, your organization’s SharePoint sites, LinkedIn Learning, and third-party content providers and learning management systems. Non-Microsoft content that is accessible through Viva Learning is subject to terms other than the Microsoft product terms. Learn more about Viva Learning content terms and conditions.
Viva Learning is enabled by default for all Microsoft Teams users in your organization.
You can turn off or turn on Viva Learning at the organization level on the Manage apps page in the Microsoft Teams admin center. For more information, see Manage your apps in the Microsoft Teams admin center. To control whether specific users have access to Viva Learning, create a custom app permission policy and assign it to those users. For more information, see Manage app permission policies in Teams.
Viva Pulse enables team leads to send brief surveys using research-backed templates to get a snapshot of team sentiment and act on feedback. Additionally, Viva Pulse reporting enables analysis of results and trends so leads can pinpoint what's working well and which areas to focus on over time.
Security for Viva Pulse is largely inherited from Teams. Viva Pulse also supports using access control policies to grant or restrict access to specific features for users and groups. For more information about access control at the feature level in Viva Pulse, see Granular access controls for Viva Pulse.