Copilot Cowork Just Hit GA — and CSP-Managed Tenants Are Hitting a Billing Wall

Why “Your organization is managed by your solution provider” appears, why the customer’s own Azure subscription won’t save you, and the exact partner-side fix.

The symptom

Here’s a scenario that is going to land on a lot of MSP desks over the coming weeks. You have a client who has been happily using Microsoft 365 Copilot Cowork while it was in preview. They love it. They want to roll it out to more people. Then Cowork moves into General Availability, and suddenly they can’t add any new users to it. When they go digging in the Microsoft 365 admin centre, into the Copilot section to sort out billing, they are met with this brick wall:

The exact message

“Your organization is managed by your solution provider. Copilot credit setup for organizations managed by a solution provider must be set up by your provider. Contact your provider to enable consumption-based AI services for your organization.” The kicker is that this particular client already has a perfectly good pay-as-you-go Azure subscription sitting in their tenant. So the natural reaction is: I have an Azure subscription, I have billing, why is Microsoft telling me to phone a friend? The short version is that this is not a bug, it is not a permissions problem, and it is not something the client can click their way out of. It is a commerce-channel issue, and the resolution lives with whoever holds the CSP relationship — which, for most of us reading this, means it lives with us.

What actually changed at GA

When Cowork was in preview, the gloves were off — people could use it without the full commercial billing plumbing being in place. At GA, Microsoft moved Cowork behind what they call usage-based billing, powered by Copilot Credits. This is the same consumption model that sits alongside fixed per-user Copilot licensing. Worth noting precisely: as it stands today, this usage-based billing method only applies to Copilot Cowork and the Work IQ API — it is not the whole Copilot estate. Microsoft has said more agents and services will be folded into this model over time, but right now Cowork is the headline reason an MSP will trip over this.

How the new billing model is wired up

Usage-based billing is managed from a new node in the Microsoft 365 admin centre: Copilot, then Cost Management. That is where an admin activates a default spending policy, sets monthly and per-user spending limits, configures alert thresholds, and — critically — chooses a billing method. The billing method is an Azure subscription. Copilot Credits are drawn against that subscription on a pay-as-you-go basis (with optional pre-purchase plans layered on top for discounting, but ignore that for now). So the whole thing hinges on one question: which Azure subscription is allowed to be the billing method? And that is exactly where a CSP-managed tenant comes unstuck.

Why the client’s existing Azure subscription doesn’t help

This is the bit that catches people out, so it is worth being precise. The client genuinely has an Azure subscription. But the Copilot Cost Management setup, in a CSP-managed tenant, will not let them attach it — because that subscription is almost certainly on the wrong commerce channel. When a tenant is managed under the Cloud Solution Provider program, Microsoft routes all consumption commerce — Azure, marketplace, and now these AI services — through the partner’s Microsoft Partner Agreement billing account. A subscription the customer signed up for directly (a credit-card MOSP or direct Microsoft Customer Agreement Azure sub) is a completely separate billing relationship that the partner does not own. The commerce platform sees the tenant flag that says “this org is CSP-managed”, looks for a billing source on the partner channel, doesn’t find one, and throws up the “managed by your solution provider” gate. The presence of some other Azure subscription in the tenant is irrelevant to that check.

The mental model: who owns the commerce channel

If you keep one diagram in your head, make it this one. A CSP-managed customer’s consumption billing has to originate from an Azure plan that the partner provisions under their Microsoft Partner Agreement. The Azure plan gives the customer access to Azure services at pay-as-you-go rates under a Microsoft Customer Agreement, and the resulting Azure subscription lives in the customer tenant but invoices back to the partner. That partner-channel subscription is the only thing the Copilot Cost Management billing-method picker will accept for a CSP tenant. Here is how the three channels compare:

– Billing channel
– Who owns it
– Works as Cowork billing method in a CSP tenant?

Direct / MOSP Azure (customer’s own credit card)
The customer
No — wrong channel, not visible to the CSP gate

Direct Microsoft Customer Agreement (Azure direct)
The customer
No — tenant is flagged CSP-managed, so this is bypassed

Azure plan under Microsoft Partner Agreement (CSP)
The partner (you)
Yes — this is the channel the gate is looking for

The fix, step by step (partner side)

Assuming you are the CSP for this client, the resolution is to provision an Azure plan and an Azure subscription for them through the partner channel, then point Copilot Cost Management at it. Work through these in order:

Confirm the Microsoft Customer Agreement is accepted. In Partner Center, open Customers, select the customer, and check the Microsoft Customer Agreement status on their Account page. You cannot purchase an Azure plan until the MCA is in place — invite them to sign it directly with Microsoft if it isn’t.
Purchase the Azure plan. In Partner Center, with the customer selected, choose Add products, set Segment to Commercial, find Azure plan, add to cart, Review and Buy. If the customer already has an active Azure plan, skip to the next step.
Create an Azure subscription under that Azure plan. Sign in to the Azure portal with your Partner Center (Admin agent) credentials, making sure you are in your partner directory, not the customer’s. Go to Cost Management + Billing, pick the billing scope for the account where the customer sits, open Customers, select the customer, then All billing subscriptions, and choose Add. Pick a Usage based / Azure subscription with the plan set to Microsoft Azure Plan, then Review and create.
Lean on AOBO for the Azure rights. Subscriptions you create through CSP grant Admin-on-Behalf-of, which gives any Admin agent in your partner tenant Owner rights on that subscription automatically. That satisfies the setup wizard’s requirement for Owner or Contributor on the Azure subscription and resource group — no extra role assignment needed.
Configure usage-based billing in the customer’s M365 admin centre. Go to Copilot, then Cost Management, and select Get Started. In the Billing method section choose the new CSP Azure subscription. Set a sensible monthly spending limit, a per-user spending limit, and alert recipients and thresholds, then Activate. The Cowork block clears and you can add users again.

Prerequisites worth double-checking before you start

Setup will fail at the last hurdle if any of these are missing, so confirm them up front:

On the Microsoft 365 side, the person running the Cost Management setup needs Global administrator or Billing administrator. AI administrator and License administrator can create spending policies and manage limits, but they cannot set or change the billing method.
The tenant must have at least one SharePoint licence, or a licence that includes SharePoint. This is a real prerequisite for the Copilot billing node, and easy to overlook on a lean tenant.
You need Owner or Contributor on both the Azure subscription and a resource group in it. Via CSP and AOBO this is automatic, but if you have deliberately stripped AOBO and are using Lighthouse or directory accounts instead, make sure the identity doing the setup actually has those rights.
An Azure resource group must exist in the subscription — the wizard can create one for you during setup if needed.

Direct CSP vs indirect reseller — know which one you are

There is an important fork here. If you are a direct-bill CSP partner, you hold the Microsoft Partner Agreement billing account yourself and you run every step above in your own Partner Center. If you are an indirect reseller sitting underneath a distributor or indirect provider, you do not own that billing account — the Azure plan purchase is initiated through your indirect provider’s flow, not your own Partner Center billing scope. In that case you coordinate with your distributor to get the Azure plan provisioned, and then you can still handle the Azure subscription creation and the customer-side Cost Management configuration. And if it turns out a completely different provider holds the CSP relationship for this client, then none of this is yours to fix directly — that provider has to provision the Azure plan, or the CSP relationship needs to be transferred to you first.

Gotchas and things I’d watch

A few practical landmines that are easy to step on with this new model:

Budgets notify, they don’t stop. A budget on a billing policy triggers email alerts at the thresholds you set, but by default it does not enforce a hard cap or interrupt service. If you want a genuine ceiling, use the monthly spending limit and per-user limits in the Cost Management spending policy, which can actually cut access when hit.
Set a per-user limit on day one. The whole point of consumption billing is that a single enthusiastic user can run up real spend. The per-user monthly limit is optional in the wizard, but for an MSP managing someone else’s bill, treat it as mandatory.
Region selection is sticky. When you create the billing policy you choose a region that determines where tenant ID and usage data are stored, and you cannot edit the subscription or resource group tied to a policy afterwards. Get it right the first time.
Turning pay-as-you-go off is not instant. Disconnecting a service from a billing policy can take up to two hours to actually stop users, so don’t panic if access lingers briefly after you flip it off.
Pre-purchase plans layer on top, they are not an either/or. If cost predictability matters, a Copilot Credit pre-purchase plan gives discounted credits that are consumed first, with pay-as-you-go catching any overage. You don’t have to choose one or the other.

The takeaway

This is going to be a recurring support ticket. Cowork going GA is good news, but the GA billing model assumes the customer can attach their own Azure subscription — and for CSP-managed tenants that assumption simply doesn’t hold, no matter how many Azure subscriptions are already sitting in the tenant. The fix is entirely on the partner side: provision an Azure plan and subscription through the CSP channel, then point Copilot Cost Management at it. If you manage Microsoft 365 customers through CSP and any of them are using Cowork, get ahead of this now, because the moment GA flips the billing requirement on, their ability to add users stops until you’ve done the plumbing. As always, plan it, test it on one tenant, and document the steps so your L1 team can repeat them.

The remote shell you already own and never switched on

A client rings. A machine’s behaving strangely — fake-looking PowerShell, a scheduled task nobody created, something. What do most of us do?

We RDP in. Or worse, we send someone onsite.

Here’s the thing. If that device is onboarded to Defender for Endpoint, you already have a remote command line sitting right there in the portal. You can be on the box, reading its running processes, in about thirty seconds. From your desk.

Most MSPs I talk to have never turned it on. For some it’s a checkbox they walked straight past during onboarding. For others — and this is the part that trips people up — it’s a licence they didn’t realise they’re missing. Either way, it’s a gap worth closing.

What is Live Response, really?

Live Response is a secure remote shell into any onboarded device, run entirely from the Defender portal. No RDP. No VPN. No jump box. No asking a panicked user to “click the thing I just emailed you”.

You open a session and you’re talking to the machine in real time. List processes, pull a suspicious file back to the portal for analysis, kill something, drop a registry change, or run a PowerShell script you’ve pre-loaded.

Think of it as the SSH session you always wished you had for your Windows fleet — except the audit trail writes itself and you never went near the network.

Here’s the real win. The thirty minutes you used to burn coordinating remote access to a maybe-compromised box just disappears. You’re simply there.

Step-by-step: getting on the box

This lives in Live Response in Defender for Endpoint, and it needs Defender for Endpoint Plan 2.

Now read this next bit carefully, because it’s where the assumption bites. Business Premium does not give you Plan 2. Business Premium includes Defender for Business — same great EDR detections, and the basic response actions you’d expect (isolate the device, run an antivirus scan, quarantine a file). But Live Response, the remote shell, is not in Defender for Business. It’s a Plan 2-only feature.

So before you promise a client “I’ll just hop on the box,” check what they’re actually licensed for. To get Live Response onto a Business Premium tenant you need either the Defender Suite for Business Premium add-on (around $10/user/month — which also lands you Defender for Office 365 P2, Entra ID P2 and more) or a standalone Defender for Endpoint Plan 2 licence.

And one last gotcha that catches people out: even after you assign the licences, the tenant defaults to the Defender for Business experience. You have to contact Microsoft Support and ask them to switch the tenant to the Plan 2 experience before the remote shell appears. It’s a one-time thing, but it’s a ticket, not a toggle.

None of this is a reason not to do it. It’s a reason to do it deliberately — a line item on the proposal and a switch request, not a feature your client already paid for and forgot about. Honestly, for a managed-security MSP that’s the easy version of this conversation: “for ten dollars a user I can be on any sick machine in thirty seconds” sells itself.

Turn it on first

This is the step everyone misses. Even once you’re licensed, Live Response is off by default.

Go to the Microsoft Defender portal, then Settings > Endpoints > Advanced features. Flip Live Response on. If you want to push scripts to servers too, enable Live Response for Servers. Save. (Configure advanced features walks through every toggle on that page.)

There’s a second switch just below: Live Response unsigned script execution. Leave that off. I’ll come back to why.

Check who’s allowed

Live Response is gated by role. Read-only permissions can look but not touch. To actually run commands and push files, your technician group needs the right Defender permission assigned. Sort this before an incident, not during one.

Open a session

Find the device in the inventory, open its page, and click Initiate live response session. Give it a few seconds to connect, and you’ve got a prompt.

Build your library once

This is where it goes from handy to a service. From the session console — or the Library management page — you can upload PowerShell scripts and run them on demand with a single command (upload to the live response library). Write the scripts once, run them across every client tenant.

A triage runbook might look like this:

run Get-RunningProcesses.ps1
run Get-PersistenceItems.ps1
run Collect-EventLogs.ps1
getfile "C:\Users\Public\suspicious.exe"

Notice what’s missing? No RDP credentials. No copying scripts onto the box and hoping nobody double-clicks them. No “can you read me the error message”. You point at the device, run a vetted script, pull the evidence back. Same four commands, every tenant, every time.

Why this actually changes behaviour

“We don’t touch the machine until we know what we’re dealing with.”

That used to mean waiting. Now it means a thirty-second session and a script you wrote last month.

Here’s what shifts. Triage stops being a scheduling problem and becomes a muscle. Your L1 can open a session and run the runbook before escalating, which means your L3 gets a tidy evidence pack instead of a vague ticket. The work moves down a tier and your senior people stay doing senior work.

And that unsigned-scripts toggle I told you to leave off? That’s the discipline. If every script in your library is signed, a compromised technician account can’t quietly run arbitrary code across your clients’ fleets through your own tooling. Convenience that becomes an attack path isn’t convenience. Leave it off.

If you’re selling managed Defender and you’re still RDP-ing in to triage, you’re billing time for a problem Microsoft already solved for you — assuming you’ve licensed the fix.

Live Response isn’t there to make remote access faster. It’s there to make “let me get on the machine” a non-event.

Check which tenants are licensed, turn it on this week, and the next incident will thank you.

Can MSPs Actually Bill for Copilot Cowork?

I’ve been mulling over a question that doesn’t get asked enough, and I think it deserves a hard look: when Copilot Cowork lands with pay-as-you-go billing, do small and midsize MSPs actually have the skills to handle it? Not the product. The billing. Because from where I sit, that’s the part most of us are least prepared for.

For years, the SMB MSP model has run on something beautifully predictable: per-seat licensing. A client has thirty users, you sell thirty licences, you mark them up, and everyone knows what next month’s invoice looks like before it arrives. That predictability is the whole foundation. It’s what lets you quote a managed services agreement with a straight face. Consumption billing pulls that foundation out from under you.

We’ve Never Had to Read This Kind of Meter

PAYG is a different animal. Usage goes up and down. Costs follow. Suddenly you’re not selling a fixed thing, you’re selling access to a meter that ticks based on what people actually do inside Copilot. And here’s the uncomfortable truth — most of us have never had to read a meter like this before. We don’t have the muscle for it.

Think about the questions a client will ask the moment their first variable bill arrives. Why was it higher this month? Which users drove that? Was it worth it? If your answer is a shrug and a forwarded Microsoft invoice, you’ve got a problem. You need to pull the usage data, make sense of it, and explain it in plain English. That’s not a skill most SMB MSPs have built, because we’ve never needed it.

Configuring It Is the Easy Part

Turning Copilot Cowork on through the admin centre isn’t the hard bit. Microsoft will make that straightforward enough. The hard bit is everything that wraps around it — setting spending limits so a client doesn’t get a nasty surprise, deciding who gets access, and putting guardrails in place before usage runs away from you.

Then comes reporting, which is where I think the real gap shows. Can you stand in front of a client at the monthly meeting and show them, clearly, what they consumed and what they got for it? You’ll be living in the Microsoft 365 admin centre and the usage reports, and you may well end up pulling that data into Excel — perhaps asking Copilot itself to summarise the month’s consumption into something a business owner can read in thirty seconds. If you can’t produce that story, the client will assume the worst.

This Is a Discipline We Have to Learn

What worries me isn’t the technology. It’s that consumption billing is a genuine discipline, and it’s one the SMB MSP world has largely skipped. The cloud providers have been doing variable billing for years. Most of us serving small business have not. We’ve been comfortable in fixed-price land, and Cowork is going to ask us to grow up fast.

So I’d put the question back to you honestly. Could your business take on a client with Copilot Cowork tomorrow, configure it sensibly, manage the spend, and report on it with confidence? If there’s hesitation in that answer, you’re not behind — you’re normal. But the MSPs who close that gap early, who learn to read the meter and tell the story, are the ones who’ll own this conversation. The rest will be forwarding invoices and hoping nobody asks why.

Do an Audit of Who’s Actually In Your Corner

A few weeks ago I was on a long drive home from a client meeting and I started running through the names of people I’d actually spent real time with over the past year — not the LinkedIn list, the actual list. The ones who’d had my ear, my weekends, my energy and, in some cases, my best thinking. By the time I got home I realised something a bit uncomfortable. A handful of those names didn’t really belong on it anymore. Not because they’re bad people. Because they’re not pulling in the same direction I am.

That’s the part nobody likes to say out loud.

The question worth sitting with

There’s one question I think every business owner should ask themselves once a year, and it’s blunt: is the time I spend with this person making me sharper, or just making me comfortable?

Comfortable is the trap. Comfortable feels like loyalty, like history, like the easy lunch where nothing hard ever gets said. Growth tends to live somewhere else.

I’ve started using Copilot in Outlook to actually look at the data. I’ll ask it to pull together who I’ve met with most over the last three months and the answer is sometimes a surprise. The people I think I’m investing in and the people my calendar shows I’m investing in are not always the same list. Calendars don’t lie. They quietly show you where your time really goes, and once you’ve seen it laid out on a page you can’t unsee it.

Three filters I run people through

When I’m doing this stocktake, I look at three things, and I try not to overthink any of them.

The first is how I feel walking away from the conversation. If I leave a coffee buzzing with ideas and a list of things to try, that’s a signal. If I leave flat and quietly wanting a nap, that’s also a signal. The body keeps a fairly honest scoreboard, even when the head is trying to be polite about it.

The second is whether they’re actually moving. Movement doesn’t have to be loud — I know plenty of quiet operators who are building something serious. But if someone has been telling me the same story about the same plan for three years running, that stagnation will start to drag on you whether you notice it or not.

The third is whether they’ll tell me I’m wrong. The people who only ever agree with me have very little to offer me. The ones who push back, who ask the awkward question, who say “are you sure about that?” — those are the ones I keep close. Anyone who’s only ever told me what I wanted to hear has never once helped me improve.

The hardest cuts are the kindest people

The brutal part of this exercise isn’t the obvious ones. It’s the genuinely lovely humans who just don’t fit where you’re heading next. Lovely doesn’t equal useful. You can wish someone well, mean it completely, and still recognise that the season of regularly being in each other’s diaries has run its course. That’s not betrayal. That’s adulthood.

I keep a private Loop page with my thinking on this — a few names, a few notes, no judgement attached. Copilot helps me draft the reflection prompts when I’m not quite sure what I’m trying to articulate. It’s not a kill list. It’s a way of being deliberate about where my hours go next year, because nobody else is going to be deliberate about it for me.

If you’ve never done a Friendventory, do one this month. Block an hour in your calendar, pour something decent, and walk through the names honestly. The people in your corner shape the business you build next. Pick them on purpose, because by default you’ll just keep whoever was around when you started.

Need to Know podcast–Episode 367

This episode ultimately reflects on how organisations must adapt to an environment where solutions are no longer neatly balanced between simplicity and capability. Instead, businesses need to reassess priorities, stay informed, and make deliberate choices about which innovations deliver real value. For SMBs, the challenge is not just keeping up—but identifying what’s truly “good enough” in an increasingly complex cloud-first world.

Brought to you by www.ciaopspatron.com

you can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-367-goldilocks-gone/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

or Spotify:

https://open.spotify.com/show/7ejj00cOuw8977GnnE2lPb

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show

Resources

CIAOPS Need to Know podcast – CIAOPS – Need to Know podcasts | CIAOPS

X – https://www.twitter.com/directorcia

director@ciaops.com

CIAOPS Blog

Join my Teams Shared Channel – CIAOPS

CIAOPS Merch store – CIAOPS

Become a CIAOPS Patron

CIAOPS AI Dojo

CIAOPS weekly news update – CIA Brief – CIAOPS

CIAOPS Labs – The Special Activities Division of the CIAOPS

Support CIAOPS

Get your M365 questions answered via email

Join my email list

A special thanks to the CIAOPS Patron community for making this podcast possible. You can find the benefits of a subscription to the community and become a member at https://www.ciaopspatron.com

AutoJack: How a single page can RCE the host running your AI agent

Azure Sets a New Performance Record for LLM Training Benchmark at Extreme Scale

Forrester names Microsoft a Leader in the 2026 Extended Detection and Response Platforms Wave report

Copilot Cowork is now generally available

Microsoft Defender email security benchmarking: Key insights from one year of data

Stay productive in new Outlook for Windows with these 5 features

What’s new in Power Platform: June 2026 feature update

What’s New in Notebooks | June 2026

Mercedes-AMG PETRONAS F1 Team responds to the intensity of race weekends with Microsoft

AI brands as bait: How threat actors are using the AI hype in social engineering

AI Is Starting to Feel Like the Petrol Bowser

I filled up the car last weekend and did that thing we all do now — glanced at the price per litre, winced a little, and worked out whether to fill the tank or just put in enough to get me through the week. It struck me, standing there, that I’ve started having the exact same conversation about AI.

For a while, AI felt free. You paid your subscription, you used it, and the meter never seemed to run. That era is ending. Token prices, usage caps, premium request limits — the cost of running AI is becoming visible, metered, and impossible to ignore. For a small business, it’s shifting from a novelty into a line item. And like petrol, it’s no longer optional. You can’t really run the business without it, but you can’t ignore what it costs either.

A running cost, not a one-off

The mistake I keep seeing is treating AI like a piece of software you buy once and forget. It isn’t. It behaves far more like fuel or electricity — something you consume, in varying amounts, every single day. Some weeks you’ll barely touch it. Other weeks, when you’re deep in a proposal or cleaning up a quarter’s worth of numbers, you’ll burn through it.

That changes how you should think about it. A running cost needs watching. It needs a budget. And it needs someone, every so often, asking the plain question: are we actually getting value for what we’re spending here?

Spend where the work actually is

Here’s where it gets interesting for a small business. You haven’t got an unlimited tank, so you have to decide where AI earns its keep. For most of the small operations I work with, the answer isn’t exotic. It’s the boring, repetitive, time-sapping work — the email triage, the first draft of a report, the summary of a long meeting nobody wants to rewatch.

That’s exactly where Copilot inside Microsoft 365 pays for itself. Asking Copilot in Outlook to clear and draft replies to a morning’s backlog saves real hours. Having it summarise a Teams meeting you missed, or pull the key figures out of an Excel workbook, turns an afternoon into a few minutes. The trick is to point your spend at the tasks that are costing you time and money today — not the shiny demos that look clever but never touch your actual week.

Economise without going without

The same way you don’t leave the car idling in the driveway, you don’t want AI burning through your allowance on low-value busywork. Be deliberate. Use the everyday Copilot features that already come with your licence before you reach for premium-priced add-ons. Give your people a quick steer on what’s worth asking and what’s just noise. And look at the bill — actually check where the consumption is going, the way you’d question a sudden jump in the power account.

None of this is about spending less for its own sake. It’s about spending on purpose.

Where I’ve landed

Petrol taught small business owners to think in terms of value per trip, not just price per litre. AI is heading the same way. The ones who do well won’t be those who spend the most or the least — they’ll be the ones who know exactly what they’re buying and why. Watch your usage, back the work that matters, and treat AI like the utility it’s quietly becoming. The meter is running now. Best to know what it’s running on.

The Clients You Need to Let Go

Last Saturday morning I sat down with a coffee and went through my client list properly. Not the polished version on a spreadsheet — the honest one. The list where you stop and ask yourself which names make your shoulders drop when they appear in your inbox.

Out of every hundred clients, maybe twenty fit that description. They weren’t bad people. But they were the ones who turned a thirty-minute call into ninety. The ones who treated every standard you set as optional. The ones who had a complaint queued up before they’d even tried what you suggested.

And here’s the part most MSP owners don’t want to admit out loud: those clients aren’t just slightly more work. They quietly run the place.

The Maths You’ve Been Avoiding

Sit down and add up the hours. Not the billable ones. The total ones. The Friday afternoon you spent re-explaining MFA for the fifth time. The Sunday email you answered because they wrote at 9pm and you didn’t want them to think you’d ignored them. The team meeting that ran twenty minutes long because someone needed to vent about a client who refuses to follow the playbook.

If you log it honestly for a fortnight, the pattern is uncomfortable. A small handful of clients eat a disproportionate slice of your week, your team’s morale, and your own headspace. The rest of your book — the ones who pay on time, listen to your advice, and treat your team with respect — get whatever scraps of attention are left over.

Copilot Can Show You What You Already Suspect

Here is where Microsoft 365 quietly earns its keep. Ask Copilot in Outlook to summarise the volume and tone of messages you’ve exchanged with a particular client over the last quarter. Open your Teams channels and let Copilot in Teams surface the recurring complaints by topic. Pull up the recap from your last quarterly review with that client and read it back without the emotion of being in the room.

You will see it plainly. The same three issues raised four quarters in a row. The same standards politely ignored. The same tone in every second message. Copilot isn’t telling you anything new. It’s just laying out the evidence you’ve been too busy or too loyal to read properly.

I have started doing this every quarter. It takes about twenty minutes per client, and it removes the wishful thinking. You stop asking “are they really that bad?” and start asking the more useful question: “Why am I still putting up with this?”

The Conversation Itself

When you do decide to end the relationship, do it cleanly. Refund what is fair. Offer to hand over their data in a tidy package via OneDrive. Recommend a provider who is genuinely a better fit for them — not a punishment, just a different match.

I draft the offboarding email in Word with Copilot’s help, sit on it overnight, then read it again in the morning. If it still says what needs saying, I send it. No long justification. No door left ajar. A short, professional close.

What You Get Back

The first time I did this properly, three things shifted within a month. My team felt lighter. Monday mornings stopped starting with dread. And the clients I genuinely respect — the ones who do the work, follow the advice, ask good questions — got noticeably more of me.

That last shift is the one that matters. The people paying for your best work deserve your best attention, and you simply cannot offer it while a small group is quietly running off with the fuel.

Sensitivity labels and auto-labelling: put a name on your data

Most people meet sensitivity labels the wrong way.

They see encryption and Purview and compliance in the same sentence and decide it’s an enterprise problem. Something for banks. Something that needs E5, a consultant, and six months.

So they leave the whole thing switched off.

Then a client emails a payroll spreadsheet to the wrong “David” in the address book, and it becomes very much their problem.

Here’s what I want you to understand. A sensitivity label isn’t a lock. It’s a name tag you put on information so Microsoft 365 knows how to treat it — and most of the value shows up before you’ve encrypted a single file.

What are sensitivity labels, really?

A sensitivity label is a tag that travels with the content. Apply Confidential to a Word doc and that label rides along into SharePoint, OneDrive, Teams, and the email it’s attached to — even off your tenant, if you allow it.

What the label does is up to you. It can simply mark the document with a header, footer, or watermark. It can show a visual classification users notice. Or it can go further and encrypt the file so only the right people open it.

That range is the bit people miss. You don’t have to start with encryption. You can start with classification — and classification on its own changes how people handle a file.

Step-by-Step: build your first label

Everything lives in the Microsoft Purview portal at purview.microsoft.com, under Information Protection. Microsoft seeds new tenants with a default set, but build and publish your own so the names actually mean something to your client.

Turn on labels for files

Before a label will stick to documents in SharePoint and OneDrive, go to Settings > Information Protection and turn on co-authoring for files with sensitivity labels. Skip this and your labels won’t apply to files at rest. It catches everyone once.

Create the label

Under Information Protection > Sensitivity labels, select Create a label. Give it a name your users will understand, not a compliance codeword. Set the scope to Files and emails.

Decide what it does

Now choose protection. Content marking — a header, footer, or watermark — is the gentle option. Access control with encryption is the heavy one. For your first label, pick marking. You can add teeth later.

Publish it

A label nobody can see does nothing. Create a label policy, add your label, and publish it to a group of users. Now it shows up under the Sensitivity button in Word, Excel, PowerPoint, and Outlook.

That’s a working label. Manual, user-applied, and included with the sensitivity-label entitlement most of your Business Premium clients already hold.

Step-by-Step: let the tenant do the labelling

Manual labels rely on people remembering. People don’t. So the next step is auto-labelling — and this is where the licensing line sits, so be straight with clients.

Pick your method

There are two. Client-side auto-labelling prompts or applies a label while someone edits a document in Office. Service-side auto-labelling policies scan content already sitting in SharePoint and OneDrive, plus mail moving through Exchange, with no user involved at all.

Run it in simulation first

This is the setting that saves you. An auto-labelling policy runs in simulation mode — it shows you exactly what would get labelled across the tenant without touching a thing. My recommendation? Always simulate, read the matches, fix your conditions, then turn it on.

Mind the licence

Auto-labelling — both flavours — needs the E5-tier Information Protection entitlement, not the base Business Premium one. Manual labels are included. Automatic ones aren’t. Don’t promise a client auto-labelling on a licence that doesn’t carry it.

“So do I need encryption on everything?” No. Most of my labels never encrypt anything. They classify. Encryption is reserved for the one or two labels that genuinely need it.

Here’s a starter taxonomy worth copying:

Personal
Public
General
Confidential
Highly Confidential

Notice what’s missing? Encryption — on four of the five. The top label might lock files down. The rest just name the sensitivity so people, and the tenant, treat them accordingly. Classification first, control second.

Why this actually changes behaviour

A labelled file behaves differently. DLP policies can key off the label. Auto-labelling can find the credit-card numbers your user forgot were buried in an old quote. And both SharePoint and Copilot respect the access a label enforces — which matters more every month.

But the quiet win is human. When someone clicks Confidential and a watermark appears, they slow down. They think before they forward. The label is doing the teaching.

Set it up once. It keeps working while everyone’s asleep.

Sensitivity labels aren’t there to make compliance harder. They’re there to make a careless mistake hard to make by accident.

If you’re rolling out Microsoft 365 and your clients’ data still has no name on it — that’s the gap. Put a name on it.