The slides from this month’s webinar are available at:
and the video recording is also up on Youtube here:
Video URL –
https://www.youtube.com/watch?v=8219So9Vldw
Watch out for next month’s webinar.
Privileged Identity Management (PIM) for Entra roles
Walk into most SMB tenants and check who holds Global Administrator. You’ll find at least one. Often three. Sometimes more. All permanent. All active. All the time.
That’s standing privilege. And it’s the biggest gift you can hand a token thief.
Most MSPs I talk to know about Privileged Identity Management. They’ve seen it in the Entra admin centre. They just don’t switch it on for clients, because they assume it’s an enterprise thing — too expensive, too complicated, too overkill for a 25-seat business.
Wrong on all three.
What is PIM, really?
PIM is just-in-time admin access. You stop being a Global Administrator all day every day, and start being eligible for it. When you need the role, you put yourself in for a fixed window, with a justification and a record. A few hours later it drops off. You’re back to a normal user.
That’s not least privilege as a slogan. That’s least privilege as a clock.
You can layer MFA on activation, approval workflows where one admin signs off on another’s elevation, and access reviews that quietly remind you each quarter that someone’s eligibility hasn’t been used in 90 days. All portal-driven. No scripts. Microsoft’s overview of PIM is worth a read, but the licensing point is the one that trips everyone up.
PIM needs Entra ID P2 or Entra ID Governance. That’s not in Business Premium. But — and this is the part MSPs miss — you only need to licence the admins, not every seat. Three admin accounts is your premium. Compare that to one incident.
Step-by-step: switching on PIM for Global Administrator
Run through this in the Entra admin centre. Sign in as a Global Administrator and licence the admin accounts you want under PIM first.
Park a break-glass account
Before touching a role, create a dedicated break-glass admin. Permanent active Global Administrator. Long random password in your password manager. Excluded from every Conditional Access policy. Document it somewhere you can find at 2am.
This is the one account PIM doesn’t touch. Skip this step and you’ll lock yourself out the first time MFA goes sideways.
Open ID Governance
ID Governance → Privileged Identity Management → Microsoft Entra roles → Roles.
Configure role settings for Global Administrator
Select Global Administrator → Role settings → Edit. Microsoft documents every option here; the ones that earn their keep look like this:
Activation maximum duration: 4 hours
Require MFA on activation: Yes
Require justification: Yes
Require approval to activate: Yes (2 approvers, not self)
Permanent eligible assignment: Disallowed
Notification on activation: All Global AdminsNotice what’s missing? PowerShell. None of this needs it.
Move existing GAs from active to eligible
Assignments → find each Global Administrator → use the assign roles flow to make them eligible instead. Same permissions — only when they ask for them.
Schedule an access review
Under Access reviews, set up a quarterly review of all eligible Global Administrators. Configure it to auto-remove on no response. The clients who think this is overkill are the clients who’ll have an ex-staffer with admin rights twelve months from now.
Why this actually changes behaviour
PIM isn’t a tool. It’s a posture. The second a Global Admin has to type a reason and wait for approval, two things happen — they stop using GA for the trivial stuff, and someone else sees every elevation.
“But our admins will hate this.”
They’ll hate it for a week. Then they’ll forget it’s there, because activation is two clicks. And the first time you can prove with an audit log that no privileged account was active during an incident, you’ll wonder how you ran tenants any other way.
A standing Global Admin is a key under the doormat. PIM is the locksmith.
If you’re not setting this up for your clients, you’re leaving the front door open and calling it security.
The Command Line Is Quietly Coming Back
I had a quiet moment last week that made me stop and think. I was watching a younger colleague get something done in about thirty seconds — no mouse, no menus, no four browser tabs open. Just typed a sentence into a terminal, hit enter, and the work was done. It looked exactly like the way I used to work in the late nineties, except the thing on the other side of the prompt was now an AI.
That’s the part I keep turning over. For more than two decades we have been told the future is graphical. Click, drag, drop, swipe. Every product wanted to be more visual, more “intuitive”, more pointy and clicky than the last one. And now, very quietly, the command line is walking back into the room — with a tool like GitHub Copilot CLI under its arm.
Typing is faster than clicking, again
The reason this shift is happening isn’t nostalgia. It’s pace. When you can describe what you want in plain English and have a tool translate that into the right command, the whole “where is that menu again” tax disappears. I’ve watched people who genuinely could not tell you what grep does happily ask Copilot CLI to find every file on their machine that mentions a particular client, and get a clean answer in seconds.
That same pattern is now showing up everywhere I look in Microsoft 365. Copilot in Outlook is, in effect, a command line for your inbox. You type “find the email from the supplier about pricing last month and draft a reply” and you’re done. No folder hunting, no scrolling. Copilot in Excel does the same thing for data — you describe the pivot you want, the chart you want, the trend you want highlighted, and it happens. The mouse becomes optional.
The interface is becoming language
What I think we’re really watching is not a return to green text on black screens. It’s the recognition that human language is itself a pretty good interface. For years we tried to dumb computers down for people. Now we’re meeting in the middle. People type or speak what they want. The machine figures out the click path.
Look at Microsoft Teams. The new way to drive it isn’t to click through tabs and channels — it’s to ask Copilot what was decided in yesterday’s project meeting, who owes who an action item, and what changed in the shared OneNote since Friday. The chat box has quietly become the most powerful button in the application.
What it means for how we work
For business leaders this matters more than it might first appear. The people who get good at “talking” to their tools — whether that’s Copilot CLI on a developer’s laptop, Copilot in Word turning rough notes into a board paper, or Copilot in SharePoint pulling the right policy out of a thousand documents — are going to be visibly faster than the people still hunting through ribbons and right-click menus.
I’m telling clients to start treating prompt-writing as a normal workplace skill, the same way we once treated email etiquette. It is the new shortcut key.
What I’m watching next
The interesting question is whether this collapses the distinction between “technical” and “non-technical” users altogether. If everyone’s interface is a sentence, the playing field flattens fast. The command line never really left. It just learned to listen.
Defender XDR unified incident queue
Most MSPs I talk to are still triaging Defender alerts one console at a time. Open Defender for Endpoint, jump to Defender for Office 365, check Entra sign-in logs, back to the device timeline. Five tabs, five clocks, no story.
That’s not response. That’s archaeology.
Defender XDR fixed this. The unified incident queue sits in the Microsoft Defender portal and stitches signals from Endpoint, Office 365, Identity, Cloud Apps and Entra into a single container called an incident. One incident, one timeline, one place to act.
If you’re still working from individual alert lists, you’re doing the correlation work the platform already did for you.
What is the unified incident queue, really?
An alert is one signal — a flagged email, a process anomaly, a risky sign-in. An incident is what Defender builds when it stitches several of those alerts into one attack story across products. Same user, same device, same attacker IP, same hour, one incident.
You stop looking at noise and start looking at attacks. Microsoft frames it exactly that way in Incidents and alerts in the Microsoft Defender portal.
Notice what’s missing? Sentinel. You don’t need it to get value from this queue.
Step-by-Step: Working an incident properly
Open the queue
In security.microsoft.com, expand Investigation & response > Incidents & alerts > Incidents. That’s your home page now. Pin it.
Triage the top of the list
Sort by Severity. For each new incident, assign an owner, set status to In progress, and add a tag like ransomware-suspect or bec-suspect so the rest of your team can filter on it. Microsoft walks through this on Manage incidents in Microsoft Defender.
Open the attack story
Inside the incident, click Attack story. You get a graph — users, devices, files, mailboxes — with events in order. This is where the correlation pays off. You’re not joining tabs in your head anymore.
Hunt for the rest of it
If the incident feels like one footprint of a bigger campaign, open Hunting > Advanced hunting and run a KQL query against the relevant table. Bookmark the Advanced hunting overview(opens in new window) — it lists every table the queue can see across all the Defender workloads.
A starter:
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("Invoke-WebRequest","DownloadString","certutil")
| project Timestamp, DeviceName, AccountName, ProcessCommandLineNotice what’s missing? PowerShell. You’re not running this from a remote shell. It runs in the portal, against the same data the incident was built from. That’s the point.
Save the good queries as detections
Any hunting query you’d happily wake up to at 3am can become a custom detection rule. From Advanced hunting, hit Create detection rule. Defender runs your query on a schedule and the matches feed straight back into the incident queue. The flow is documented in the Custom detections overview.
That’s the loop. Hunt once, detect forever.
Why this actually changes behaviour
“Where do I start?” becomes “What story is Defender telling me?”
When the queue is your home page, your team stops chasing alerts and starts closing incidents. The numbers you report to clients become incidents closed, median time to triage, active attack stories — not raw alert counts nobody can interpret.
The custom detection layer is where MSPs separate themselves. The product gives you the correlations Microsoft thought of. The rules you write are the correlations your clients need. Stack a few by vertical — finance, legal, construction — and you have a productised security service the next MSP down the road doesn’t.
The unified queue isn’t there to give you fewer alerts. It’s there to make alerts something you can actually work.
The Founder Is the Ceiling
I’ve watched plenty of MSP owners import a new strategy — a pricing model, a sales motion, an AI practice — and then sit back waiting for results that never quite arrive. The framework is fine. The consultant was competent. The slide deck is tidy. Nothing lands. After the third or fourth time you see this pattern, you start to suspect the strategy was never the problem. The person running it was running the same way they always had, with the same instincts, the same blind spots, the same calendar. And the strategy, for all its elegance, quietly gathers dust.
Strategies borrow their ceiling from the founder
Here’s the uncomfortable bit. Every strategy in your business is quietly capped by whoever owns it at the top. A sales playbook built for disciplined follow-up doesn’t survive contact with a founder who hates picking up the phone. A managed services model built around proactive account reviews doesn’t work for an owner who still treats quarterly business reviews as optional. A cyber practice built on hard conversations about risk doesn’t get off the ground when the founder is uncomfortable delivering bad news to clients. The strategy isn’t weak. It’s just being run through the wrong instrument. You can buy a better playbook, hire a better consultant, pay for a better PSA, and you’ll still end up with results shaped by your own habits. That’s not a criticism. It’s just mechanics. The business is a reflection of the person at the top, and the ceiling on your strategies is almost always the ceiling on you.
The tool is a mirror, not a transformation
This is where I see Copilot quietly doing more than most owners realise. Not as a productivity gadget — as a mirror. When I open Copilot in Outlook and ask it to summarise the week’s inbox, I’m confronted with what I’ve actually been spending my time on, not what I thought I was spending my time on. When I ask Copilot in Teams to pull the decisions out of a client meeting, I notice which decisions I keep ducking. When I use Copilot Chat to pressure-test a proposal before I send it, I catch lazy thinking I would have signed off on a year ago. None of that changes my strategy. It changes me. That’s the part that makes the strategy finally move. The upgrade isn’t in the tool. It’s in the habit of using the tool to confront how I actually work, then doing something about what I find. That is a very different thing to rolling Copilot out across the tenant and calling it a transformation.
The hardest part is seeing yourself
Most founders I talk to are genuinely willing to change their business. Far fewer are willing to change themselves. We’ll restructure the team, rewrite the service catalogue, and re-platform the ticketing system before we’ll look honestly at our own calendar, our own decision-making, or our own tolerance for avoidance. The interesting thing is that the same Microsoft 365 tools we’re selling to clients — Copilot, Loop, Planner, SharePoint — are the ones that expose our own patterns if we let them. A Loop page tracking your weekly commitments will tell you the truth about your follow-through in about a fortnight. That’s a confronting experience, and it’s where the real upgrade starts.
Before you import your next strategy, ask a harder question. What would I have to become for this to actually work in my business? If the honest answer is “someone I’m not yet”, the strategy isn’t the first thing that needs upgrading. You are. Everything else in the business eventually rises or falls to that line. That’s not an easy sentence to sit with. It’s also the one I keep coming back to whenever I watch a good strategy fail to stick.
What is connecting Copilot agents to Dataverse, Graph, and connectors, really?
When people hear “Copilot Studio agent,” they picture a chatbot. That’s the wrong mental model. A modern agent is a reasoning layer sitting on top of three very different pipes: your business data in Dataverse, your organisational content in Microsoft Graph, and the wider universe of SaaS via Power Platform connectors.
Each pipe has its own auth story. And that’s where almost every SMB and MSP rollout I see comes unstuck.
That’s not a configuration problem. That’s an identity problem dressed up as a configuration problem.
Step-by-Step: wiring an agent to the three pipes
Set the agent’s authentication first
Before you add a single tool, go to Settings → Security → Authentication in your agent. Pick Authenticate with Microsoft. This uses Microsoft Entra ID to identify whoever is chatting — and it’s the prerequisite for almost everything that follows.
Skip this step and your agent runs as nobody. Which means it can’t read Dataverse on the user’s behalf, can’t honour SharePoint permissions, and can’t call a connector as the signed-in user. Get the front door right and the rest gets easier.
Add a Dataverse table as knowledge
Open Knowledge → Add knowledge → Dataverse. You can wire up to 15 tables per agent. Two things that catch people out:
- Dataverse search must be enabled on the environment first.
- Add synonyms and glossary terms for any column where your users speak a different dialect to the schema.
“Why doesn’t it find my open opportunities?”
Because your column is called statuscode and your users say “stage.” Synonyms fix that.
Add a Microsoft 365 Graph connector for content
Graph connectors are the other knowledge model — they index external content (Jira, ServiceNow, file shares, intranets) into the same semantic graph that Copilot already uses for Teams, SharePoint, and mail. Set them up in the Microsoft 365 admin center → Search & intelligence → Connectors. ACL-based permission trimming is preserved, so users only see what they’re allowed to see. Microsoft has a clear overview here.
Notice what’s missing? Dataverse is agent-scoped knowledge. Graph connectors are tenant-scoped knowledge. Different governance owners. Plan accordingly.
Add a connector as a tool
In your agent, Tools → Add a tool → Connector. Pick a standard, premium, or custom Power Platform connector. Now the agent can act — create a row, post to Teams, hit your line-of-business API.
Tool = action. Knowledge = retrieval. Don't confuse the two.Pick the right credentials mode
Every tool asks one question that quietly decides your security posture: Maker Credentials or End User Credentials?
- Maker Credentials: the connection runs as you, the builder. Easy demos. Terrible for anything user-specific.
- End User Credentials: each chatter authenticates with their own account. Slightly more clicks for users. The only sensible default for production. Details here.
My recommendation? Default to End User and only fall back to Maker when there’s a genuine service-account scenario — like reading a shared mailbox.
Why this actually changes behaviour
Here’s the real win. Once authentication is correctly threaded through the agent, the same prompt produces different, personally-relevant answers for every user — because it’s their identity flowing into Dataverse, their Graph results coming back, their connector permissions being honoured.
That’s not a chatbot. That’s a tenant-aware assistant.
The other thing I notice with clients: governance conversations get easier. “Who can see what?” becomes a question of existing Entra groups and Dataverse row security — not a brand-new permissions matrix you have to invent for the agent.
Get the auth pattern right once and every agent you build afterwards inherits it. Get it wrong and you’ll be unpicking the same mess for months.
Wire the pipes. Mind the credentials. Ship something your clients actually trust.
Advance — Use It to Upgrade Your Actual Life
There’s a line I keep repeating. If you’re not reaching for AI every working hour of every day, you’re leaving a silly amount of productivity on the floor. That’s not a pep talk. That’s the baseline now.
But the bit I don’t say loudly enough — the part that actually matters — is this: work is the shallow end. The real compounding doesn’t happen in your quarterly numbers. It happens in the life you build around them.
The job isn’t using it at work
Most people I talk to are still framing AI as a work tool. A faster way to write an email. A quicker way to build a deck in PowerPoint. A cleaner summary of yesterday’s Teams meeting. All useful. All, honestly, the least interesting thing it can do for you.
The long game is personal. You have been handed, for the price of a monthly subscription, a patient thinking partner who will sit with you on any problem, any time of day or night — no ego, no judgement, no billable hour. Whether that’s a Saturday morning over coffee or the drive home after a rough day. Most of my team haven’t really used it that way yet. Honestly, neither had I, until recently.
Every friction point is now a prompt
Think about the things you’ve been avoiding for weeks. They tend to share a shape. A hard conversation with a business partner. A decision about whether to move the family interstate. A contract for a property that you don’t fully understand and don’t want to ask your agent about in front of the vendor.
Every one of those is now a prompt.
Last month I dropped a forty-page purchase agreement into Copilot and asked it to surface everything that wasn’t in my favour. It took about ninety seconds. I walked into the next conversation with three questions I would never have thought to ask, and one clause I’d been about to sign away without a second look. The deal shifted. That moment — that shift — is what I’m talking about.
The conversation you’ve been dreading? Open Copilot in Word, write out what you want to say, and have it stress-test the tone, the gaps, the places you’re being unfair or being walked on. Weighing a big life decision? Give it your situation, the options and what you actually care about, and let it play devil’s advocate until you can hear your own thinking more clearly. Piles of messy personal documents sitting in OneDrive? Point Copilot at them and start asking.
Disrupt yourself first
The job of a good CEO is to look eighteen months down the track and protect the business from whatever’s coming. Most of us accept that as obvious for the companies we run.
Almost none of us apply it to our own lives.
Your job, right now, as a human being, is exactly the same. Look eighteen months ahead. Ask what’s going to be true then about how work, relationships, careers and decisions get made. Then disrupt yourself before the world does it for you — because the world absolutely will.
The people who quietly pick this up — who use Copilot not just for their inbox but for the harder, more personal stuff — are going to look up somewhere in 2027 and realise they’re living a noticeably different life. Not because AI saved them a few minutes on email. Because they used it to think better, decide better, and act earlier than the people around them.
Absorb. Assemble. Align. Advance.
Start today.
Techwerks 30–24 June 2026
CIAOPS Techwerks face to face returns to Melbourne CBD on Wednesday the 24th of June 2026.
The course is limited to 20 people and you can sign up and reserve your place now! You reserve a place by completing this form:
or by sending me an email (director@ciaops.com) expressing your interest.
The content of these all day face to face workshops is driven by the attendees. That means we cover exactly what people want to see and focus on doing hands on, real world scenarios. Attendees can vote on topics they’d like to see covered prior to the day and we continue to target exactly what the small group of attendees wants to see. Thus, this is an excellent way to get really deep into the technology and have all the questions you’ve been dying to know answered. Typically, the event produces a number of best practice take aways for each attendee.
Recent testimonial – “I just wanted to say a big thank you to Robert for the Brisbane Techworks day. It is such a good format with each attendee asking what matters them and the whole interactive nature of the day. So much better than death by PowerPoint.” – Mike H.
The cost to attend is:
Gold Enterprise Patron = $50 ex GST
Gold Patron = $90 ex GST
Silver Patron = $180 ex GST
Bronze Patron = $360 ex GST
Non Patron = $720 ex GST
I hope to see you there.
CIAOPS 