CIAOPS Need to Know Microsoft 365 Webinar – June

laptop-eyes-technology-computer_thumb

Now in our tenth year!

Join me for the free monthly CIAOPS Need to Know webinar. Along with all the Microsoft Cloud news we’ll be taking a look at SharePoint Skills.

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite.

You can register for the regular monthly webinar here:

June Registrations

(If you are having issues with the above link copy and paste – https://bit.ly/n2k2606 )

The details are:

CIAOPS Need to Know Webinar – June 2026
Friday 26th of June 2026
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Youtube channel.

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Three Power Automate flows every MSP should productise

Every MSP I talk to has the same Power Automate problem.

Not a tech problem. A consistency problem.

Client A has a leave-request flow built by some intern in 2022. Client B has an onboarding flow that emails three people, one of whom left last year. Client C runs approvals through someone’s personal Outlook because it was “quicker that way”.

That’s not automation. That’s tribal knowledge held together by hope.

The fix isn’t more flows. The fix is three flows, built once, exported, and dropped into every client tenant you touch.

What is a Power Automate solution, really?

A flow on its own is a personal toy. It lives in someone’s default environment, it’s owned by one person, and the day they leave the tenant the flow dies with them.

A solution is that same flow, packaged with connection references and environment variables, exported as a file, and imported into any other tenant. Same flow. Different SharePoint site, different approvers, different mailbox — wired up at import time, not hardcoded.

That’s the move. Stop building per-client. Start building once and deploying everywhere.

If you’re charging your clients for automation as a service, this is what productisation actually looks like.

The three worth standardising

There are hundreds of templates in the Power Automate gallery. Most MSPs don’t need hundreds. They need three:

Approvals — anything that needs a yes/no with an audit trail
Joiner (onboarding) — new staff member, day one
Leaver (offboarding) — staff member out, access gone, evidence kept

Build those three properly as a managed solution and you’ve covered eighty percent of the automation requests you’ll get from an SMB client this year.

Step-by-Step: stand up the Approvals flow first

Open Power Automate inside a dedicated solution

Sign in to Power Automate, pick Solutions on the left, and create a new one. Give it a publisher name like YourMSP_Automation. Don’t skip this. Flows created outside a solution can’t be exported cleanly later.

Pick the right approval type

Open the Start and wait for an approval action and look at the dropdown. There are four real options — Approve/Reject – Everyone must approve, Approve/Reject – First to respond, Custom Responses – Wait for all responses, Custom Responses – Wait for one response — plus sequential. Most SMB approvals are First to respond. Document sign-offs are usually Everyone must approve. Pick deliberately. The full approvals reference is on Microsoft Learn.

Use environment variables for the approvers, not hardcoded emails

This is the bit MSPs skip and then regret. Don’t type finance@clientco.com into the Assigned To box. Create an environment variable called ApproverEmail, reference it in the action, and set the value at import time.

Here’s what the assignment looks like in the action:

@{parameters('ApproverEmail (yourmsp_approveremail)')}

Notice what’s missing? A client name. That’s the point. Same flow, twelve tenants, twelve different approver emails — none of them baked into the export.

Export it as a managed solution

Solutions > your solution > Export > Managed. You ship managed solutions to client tenants and keep the unmanaged copy in your build tenant. Microsoft’s import guide walks through what the receiving tenant sees — connection references prompt for new accounts, environment variables prompt for values, and your flow turns itself on when it lands.

Joiner and Leaver follow the same shape

For Joiner the trigger is usually a new Microsoft Lists item or a Forms submission. The flow creates the Entra user, assigns licences, drops them into groups, posts a welcome card to a Teams channel, and sends the manager an approval to confirm everything looks right before the password lands in the helpdesk mailbox.

For Leaver the trigger is the same list, different status. The flow disables sign-in, revokes sessions, converts the mailbox to shared, transfers OneDrive ownership to the manager, and writes a row to a SharePoint list that becomes your audit trail when the cyber insurance auditor asks “what was your offboarding process on the 14th of March?”.

Both flows reuse the same three environment variables — HelpdeskMailbox, ManagerApprovalGroup, OffboardingEvidenceList. Build once. Import twelve times. Done.

One more thing: lock the connectors down before you ship

Before you push any of this into a client tenant, set a Data Loss Prevention policy in the Power Platform admin centre. Put Office 365, Approvals, SharePoint, and Teams connectors in the Business group. Put Twitter, Dropbox, Gmail, and the rest in Non-Business or Blocked. Microsoft’s DLP guidance spells out why this matters: without it, any maker in the tenant can build a flow that pipes mailbox data into a personal Dropbox.

Before: “Can you build us a leave-request flow?”

After: “We’ll deploy our standard approvals solution to your tenant on Friday.”

That’s the shift. From bespoke build to productised deployment. From “this might take a few days” to “this is a forty-minute import”.

Why this actually changes behaviour

If you’re an MSP and you’ve built the same flow three times for three clients, you’re not running an MSP. You’re running a freelance bench with a logo.

The three-flow library — approvals, joiner, leaver — is the smallest automation product that pays back. It compresses delivery time. It standardises what “good” looks like across every client you touch. And when a client says “we’d like our offboarding to leave evidence for our cyber insurer”, you don’t quote a project. You import a solution.

Here’s the real win. Once these three are running cleanly, the conversation with the client changes. They stop asking if you can automate something. They start asking what else you’ve already got in the library.

That’s where the margin is.

Build the flow once. Sell the deployment every time.

The Pendulum Might Be Swinging Back to On-Premises

For years the story was simple. Move everything to the cloud, pay for what you use, never buy a server again. I bought into a lot of that, and for plenty of workloads it still holds up. But lately I’ve been having a different conversation with MSP owners, and it keeps circling back to one thing: the cost of running AI is climbing, nobody is quite sure where it stops, and it’s no longer a fringe worry — it comes up in nearly every planning chat I sit in on.

The bill that grows while you sleep

Here’s what I’m seeing. A client switches on an AI feature, the team loves it, usage goes up, and three months later the invoice has quietly doubled. Tokens — the units these models bill against — get consumed every time someone asks a question, summarises a thread, or drafts a reply. Individually they cost almost nothing. At scale, across a busy business, they add up fast.

The trouble is the meter never sleeps. A traditional software licence is a known number you can budget around. Token-based AI is a tap that’s always running, and the more useful it becomes, the more it costs. I’ve watched owners realise that the productivity win they were celebrating has a recurring price tag attached that grows in lockstep with their success.

Why bringing it home is back on the table

This is where on-premises starts creeping back into the conversation. Hardware that runs capable models locally is getting cheaper and far more practical. For a business with predictable, high-volume AI work — document processing, internal search, summarising the same kinds of records all day — a one-off box in the comms room can start to look smarter than an open-ended monthly bill.

I’m not saying everyone rips out the cloud. That would be daft. But the calculation has shifted. Five years ago, running your own AI infrastructure was exotic and expensive. Now it’s a line item a serious MSP can actually model for a client and stand behind, and that’s a service opportunity worth taking seriously.

The hybrid answer most businesses will land on

In practice I think most organisations end up somewhere in the middle, and that’s fine. Microsoft 365 Copilot is a good example of where the cloud stays. When someone asks Copilot in Outlook to draft a reply, or pulls a summary out of a long Teams meeting, that’s woven so tightly into the service that dragging it on-premises makes no sense. You’re paying for the integration, not just the tokens.

But the heavy, repetitive, high-volume jobs — the ones that chew through tokens by the thousand — are exactly the ones worth questioning. Does that bulk processing need to sit in a metered cloud, or could it run on a local model and feed the results back into SharePoint or a Power Automate flow? That’s the kind of question I think every MSP should be asking on behalf of their clients this year.

Where I’ve landed

The pendulum has swung hard towards the cloud for a decade, and it’s earned its place. But cost has a way of correcting fashion. When the meter starts hurting, people look for the off switch — and sometimes the off switch is a server you own. Watch your AI usage like any other variable cost. Know which workloads belong in Copilot and the cloud, and which ones might be cheaper closer to home.

The Quiet Power of Showing Up

A few weeks ago I came across a study that stuck with me. Researchers looked at more than 10,000 millionaires and asked them what they thought made the difference. Eighty-five per cent put it down to one thing — habits. Not a lucky break, not a clever bet, not the right surname. Just small things, done consistently, over a long stretch of time.

That number is hard to ignore. And the more I sit with it, the more it lines up with what I see in business — and increasingly, in how people are using tools like Microsoft 365 Copilot.

The compounding effect of small things

We tend to overestimate the dramatic and underestimate the daily. The big launch, the big deal, the big idea — those get the headlines. But the people who quietly build something real are usually doing the same handful of unglamorous things every day. Reviewing the numbers. Following up. Answering the message they’d rather avoid. Showing up when nobody is watching.

Consistency is boring. That’s why it works. Most people can’t sustain it, and that’s exactly why the few who do tend to pull away.

Where this lands inside Copilot

Here’s what I’m noticing with Copilot. The professionals who get real value out of it are not the ones with the cleverest prompts or the longest training videos. They’re the ones who’ve built it into their daily rhythm — quietly, without ceremony.

Every morning, they ask Copilot in Outlook to summarise the overnight inbox before they touch a single email. They run the recap inside Teams the moment a meeting ends, while it’s still fresh. They draft the first cut of a proposal in Word with Copilot, then sharpen it themselves. None of these are clever. None require a prompt engineering certificate. They’re tiny, repeatable habits.

Six months in, the difference between someone who does this daily and someone who reaches for Copilot once a fortnight is enormous. Same licence. Same tool. Wildly different outcome. The gap isn’t talent — it’s frequency.

Why most people quit before it pays off

The trouble with habits is that the early payoff is small, almost embarrassingly so. You ask Copilot to draft a reply and the first version isn’t quite right. You try again, it’s better. You move on. Nothing dramatic happened. There are no fireworks that make you feel like a genius.

That’s the test. Most people abandon a tool, or a process, or a discipline, right at the point where the compounding is about to begin. They want the result before they’ve put in the reps. The 85 per cent of millionaires in that study didn’t have a magic week — they had a consistent decade.

I see the same pattern with Copilot adoption inside organisations. The teams who win aren’t the ones who run a flashy training day and a launch poster. They’re the ones whose people open Copilot in Outlook, Teams and Word every working day, almost without thinking, the way they once started reaching for the search bar without remembering the world before it.

What I’m watching

I’ve stopped being impressed by the brilliant one-off. I’m more interested in what someone does on an ordinary Tuesday morning, before the coffee has properly kicked in. The unremarkable habits — the ones nobody applauds — are the ones that quietly decide where you end up.

Luck shows up sometimes. Consistency shows up every working day, in the small choices that don’t even feel like choices. Over a long enough timeline, that’s not really a contest — it’s mathematics.

Latest Microsoft image models

I have a standard image prompt that I use to test Ai models. The last iteration with MAI-Image-1.5 and Flux.2 Flex is here:

https://blog.ciaops.com/2026/05/16/copilot-image-generation-in-powerpoint/

the previous attempts:

https://blog.ciaops.com/2026/05/05/revisiting-copilot-image-generation-analysis/

and the first attempt:

https://blog.ciaops.com/2026/03/07/image-generation-analysis/

Microsoft has just release 2 new models and here is what I got when I used them:

MAI-Image-2.5-Flash

and MAI-Image-2.5

We have come a LONG way in very short period of time!

Defender for Cloud Apps session policy

Most MSPs treat Conditional Access as a light switch. Allow or block. Compliant device or not.

That works right up until a director needs OneDrive from a hotel laptop. Or a contractor needs SharePoint from a personal Mac. So you carve an exception, and the exception slowly becomes the policy.

There’s a third option sitting between allow and block. Almost no one in the SMB world turns it on.

It’s called a session policy, and it lives inside Defender for Cloud Apps. If your client is on E5 or Microsoft 365 E5 Security, they’re already paying for it.

What is a session policy, really?

A session policy is a real-time guardrail that fires after the user signs in. It rides along inside the browser tab.

It can block a download. It can block an upload. It can block copy-paste. It can force a sensitivity label on a file before it leaves OneDrive. It can make a user re-prove MFA before doing something sensitive — all without touching the device.

That’s not access control. That’s session control. Think of it as a referee inside the meeting, not a bouncer at the door.

It needs two pieces to fire. A Conditional Access policy in Entra ID that routes the session through Defender for Cloud Apps using Conditional Access App Control. And a matching session policy in the Defender portal that decides what to do once the session is in flight. Microsoft’s own Conditional Access app control overview is worth a read because it shows the reverse-proxy path the session actually takes.

One licensing note. Defender for Cloud Apps is not in Business Premium. You need E5, M365 E5 Security, or the standalone MDCA add-on. Plenty of SMBs already have it bundled and never realise.

Step-by-Step: blocking download to unmanaged devices

The killer scenario. Someone signs in to OneDrive from a personal laptop. They can read. They can edit in the browser. They cannot save a single file locally. No agent, no Intune enrolment, no work touching their device.

Build the Conditional Access policy

In the Microsoft Entra admin centre, go to Protection > Conditional Access > Policies and start a new policy. Scope it to your pilot group. For the cloud app, choose Office 365. Leave Grant on Grant access with no requirements — the heavy lifting happens elsewhere.

Turn on App Control

In the Session block, tick Use Conditional Access App Control and pick Use custom policy from the dropdown. That single tick is what tells Entra to hand the session to Defender. The full guidance lives in the Microsoft Learn how-to.

Move to the Defender portal

Now jump to security.microsoft.com. Under Cloud apps > Policies > Policy management, create a new Session policy. Start from the Block download based on real-time content inspection template — it saves a lot of clicks.

Filter to OneDrive and unmanaged devices

Set Activity source to Office 365 > OneDrive for Business. Add a filter: Device tag = Unmanaged. The action becomes Block file download.

Write a real block message

Don’t ship the Microsoft default. Tell the user why the file won’t download and what to do next. A blank “blocked by policy” page makes users fight the system and ring the helpdesk.

Run it in monitor-only first

Set the policy to Monitor only for a week. Watch the activity log. Confirm you’re catching the right sessions, on the right apps, against the right users. Then flip to Block. Microsoft’s create-a-session-policy walkthrough covers the screens for both modes.

Why this actually changes behaviour

Here’s the real win. Your director still gets OneDrive on the hotel laptop. The board paper opens in the browser. They can read it, comment on it, work through it.

They cannot drop it into the hotel laptop’s downloads folder.

That’s not a compromise. That’s the policy doing what you actually wanted the whole time.

“But why can’t I just block unmanaged devices outright?”

You can. You’ll also block every legitimate contractor, every guest reviewer, every consultant on a personal machine. Block is a single-use tool. Session policy is a scalpel.

Notice what’s missing? No agent on the device. No MDM. No certificate enrolment. The browser gets reverse-proxied through an *.mcas.ms URL and the session is policed in flight. Edge users get it in-browser with no URL change.

A copy-paste summary of what you’ve actually built looks like this:

Session policy: OneDrive – Block download from unmanaged
  Activity source : Office 365 → OneDrive for Business
  Device filter   : Device tag = Unmanaged
  Action          : Block file download
  Block message   : Custom — explain WHY + WHAT TO DO
  Content scan    : All files
  Phase           : Monitor → Block after 7 days

Notice what’s not in there. No list of apps. No list of file types. The whole policy keys off the device tag, because that’s the bit you can trust — Entra knows whether a device is compliant or unmanaged; the user can’t lie about it.

Where MSPs trip up

Three things bite people on the first rollout.

The Conditional Access policy must include the session control. If App Control isn’t ticked in CA, nothing routes to Defender. Many MSPs build the two policies as separate stories. They’re one story.
Native clients bypass MDCA. Outlook desktop, OneDrive sync, Teams desktop — none of them route through the reverse proxy. If you genuinely need to force browser, use the Entra session control Use app enforced restrictions on top, and read the Conditional Access session controls page before you go further.
Certificate chains matter. If the SaaS app has a partial chain, the proxy goes sideways. Test before you scope wide.

My recommendation

If you’ve got a client on E5 or M365 E5 Security and you’re not running at least one session policy, you’re leaving the most valuable thing in their stack switched off. Walk in next Monday with exactly one policy — block download from unmanaged for OneDrive. Monitor for a week. Flip to block. Show them the activity log.

Session policies aren’t there to keep users out. They’re there to let them in without the data following them out.

Formal education will make you a living; self-education will make you a fortune

Jim Rohn said it years ago: formal education will make you a living, self-education will make you a fortune. I’ve been turning that one over in my head again lately, and not for sentimental reasons. The gap between what you learned at school or university and what you actually need to know next Tuesday has never felt wider. And the people I see pulling ahead — in their careers, in their businesses, in their thinking — are almost always the ones who took their own learning seriously after the formal part stopped.

The bit that strikes me now is how much easier self-education has become, and how few people are actually doing it.

The classroom you carry around

The tools sitting on most people’s laptops right now would have looked like science fiction to a teacher twenty years ago. I open Copilot in Edge while I’m reading a long article and ask it to explain the part I didn’t quite get, in the context of my industry. I drop a dense PDF into Copilot Chat and ask what I should pay attention to before a meeting. I’m in Word writing something, and I ask Copilot to challenge my argument the way a sceptical colleague would. None of that is a course. It’s a habit. And the habit is what compounds.

What I notice is that people still treat learning as a thing they do somewhere else — a course, a webinar, a conference once a year. The interesting shift is that learning has quietly moved into the flow of work. The hour you used to spend hunting for an answer is the hour where the real growth happens, if you let the tools help you instead of just hand you a result.

Curiosity is the edge now

Here’s the part I think people underestimate. Copilot won’t make you smarter on its own. It rewards the people who already ask better questions. If you go in with “summarise this”, you get a summary. If you go in with “what’s the second-order effect of this on a small business with thin margins”, you get a conversation. The technology has lifted the floor and raised the ceiling at the same time, and the gap between the two is mostly down to how curious you are.

I see this in Teams meetings as well. The people who stay sharp open Copilot afterwards and ask it what they missed, what was implied, what didn’t get said. They use the recap as a starting point, not an ending. Same meeting, same transcript — completely different outcome depending on the questions you bring.

The fortune bit

Rohn’s line isn’t really about money. The fortune he’s pointing at is the compounding effect of being someone who keeps learning when nobody is making them. A CV gets you in the door. Self-education is what decides whether you’re still useful to your business, your clients, and yourself five years from now.

The honest truth is that the formal qualifications I picked up early in my career are a smaller part of what I do today than the stuff I’ve taught myself since. And the rate at which I can teach myself something now — with Copilot in Outlook explaining a thread, in Excel walking me through a model I didn’t write, in SharePoint pointing me at the document I’d forgotten existed — is something I genuinely couldn’t have imagined a few years ago.

The classroom never closed. We just stopped recognising it for what it is — and the people who keep showing up to it are quietly building the fortune Rohn was talking about.

Most SMB tenants have a guest graveyard

Most SMB tenants I look at have a “Guest Users” list that’s basically a graveyard. People invited for a project that finished in 2022. A contractor whose engagement ended last March. Somebody’s external accountant who hasn’t signed in since the BAS that prompted the invite.

Nobody removes them. Nobody can remember why they were added. Nobody’s even sure who should remember.

That’s not a guest problem. That’s a governance problem.

Now do the same exercise with Global Administrator. Or Privileged Role Administrator. Or that mystery security group somebody pinned to a SharePoint site three years ago and called “Finance – All”. Same pattern. Stale access. No owner. No expiry.

This is exactly what Access Reviews in Entra ID Governance is built to fix — and most MSPs I talk to either don’t know they’re licensed for it or have never actually run one.

Time to fix that.

What is Access Reviews, really?

Access Reviews is a recurring “are you sure?” loop. You point it at a group, an application, a privileged role, or every guest in your tenant. On a schedule you pick, it emails a reviewer — you, the group owner, or the user themselves — and asks them to confirm whether each person still needs the access they’ve got.

If the reviewer says no, or doesn’t reply and you’ve configured “no response = deny”, the access gets removed automatically when the review ends. No tickets. No spreadsheet. No “I’ll get to it next quarter”.

It’s the same job your auditor wants you to do at a desktop level. Just done in the portal, on a timer, with an audit trail attached.

What you need to run one

Licensing trips most people up here. Access Reviews is an Entra ID P2 or Entra ID Governance feature, and licensing is per user, not per tenant. Every user whose access you’re reviewing needs to be covered. Guest accounts don’t need a license to be reviewed, which is the one bit of good news.

Business Premium customers don’t have P2 in the box. If they want this, they need Microsoft 365 E5 or the Entra ID Governance add-on. Tell the client up front — don’t promise the feature and discover the gap at invoice time.

You’ll want Identity Governance Administrator or Global Administrator to set the first review up. Group owners can run reviews on their own groups once an admin enables the toggle in the Access Reviews settings.

Step-by-Step: a recurring guest review

Start here on every tenant. It’s the easiest win.

Open the portal

Sign in to entra.microsoft.com as Identity Governance Administrator. Go to ID Governance > Access Reviews > New access review.

Pick what to review

In Select what to review, choose Teams + Groups, then All Microsoft 365 groups with guest users. This is the magic option. It creates one recurring review that sweeps every M365 group containing guests, across the whole tenant, automatically, forever.

Set Scope to Guest users only.

Pick your reviewers

Pick Group owners with a fallback. Group owners actually know whether Alice from the partner agency still needs Teams access. You don’t. You also don’t want to be reviewer-of-last-resort for fifty groups.

Set the schedule

Recurrence: Quarterly. Duration: 5 days. Long enough that nobody can claim they were on leave. Short enough that the next quarter doesn’t lap it.

Set the settings that actually matter

This is where most people skim and lose the whole value of the feature. Slow down.

Auto-apply results to resource: On. Without this, denied users stay in the group until somebody manually clicks apply. They never do.
If reviewers don’t respond: Remove access. Yes, really. If the owner can’t spend two minutes confirming a guest, the guest goes.
Justification required: On. Forces reviewers to type a reason for “keep”. Stops the rubber-stamp click-through.
Mail notifications + reminders: On.

Name it Quarterly Guest Review - All M365 Groups, hit Create, done.

Step-by-Step: privileged groups and admin roles

Same engine, different doorway. PIM for Entra roles and PIM for Groups each have their own access review entry point — not the one above.

For Entra admin roles

Open PIM > Microsoft Entra roles > Access reviews > New. Review every role with active or eligible assignments. Reviewer = the user themselves, because self-attestation forces them to type a justification. Add a second-stage approver if you want belt-and-braces. Recurrence: every 90 days for admin roles. No exceptions.

For privileged groups

If you’re using PIM for Groups to gate access to sensitive things, you can review the eligible members on the same cadence. Same wizard, hosted under PIM. Same settings. Same auto-apply.

Notice what’s missing? PowerShell. None of this needs it. Portal only.

One artefact you can paste into every client runbook

Guest access:     quarterly, 5-day window, owner-reviewed,
                  no response = remove, auto-apply on.
Admin roles:      every 90 days, self-attest + 2nd stage,
                  no response = remove, auto-apply on.
PIM for Groups:   every 90 days, owner-reviewed,
                  no response = remove, auto-apply on.

Notice what’s not in there? Anything called “annual”. Annual reviews don’t do anything except let stale access fester for eleven and a half months. If the cadence isn’t quarterly or better, you don’t have a control — you have a calendar reminder.

Why this actually changes behaviour

Before: “I’ll clean up guests when I get a chance.” After: “The system already did it last Tuesday.”

That’s the shift. Access Reviews moves access cleanup from a thing humans intend to do into a thing that happens whether they intend to or not.

For an MSP the win is bigger. Every client tenant you manage produces a quarterly evidence trail — who reviewed what, what got removed, who signed off. Exactly the evidence the cyber insurer asks for at renewal. Exactly the evidence an SMB1001 or Essential Eight auditor wants on the table. According to the Access Reviews FAQ, reviewers and decisions are captured against each instance, so the audit trail is already there — you just have to turn the reviews on.

You’re not selling “we’ll clean up your guests” anymore. You’re selling governance with a paper trail.

Access Reviews isn’t there to help you remember to remove stale access. It’s there to remove it whether you remember or not.

If you’re not turning this on for your clients, you’re leaving the easiest governance win in Microsoft 365 on the table.