CIAOPS Need to Know Microsoft 365 Webinar – May

laptop-eyes-technology-computer_thumb

Now in our tenth year!

Join me for the free monthly CIAOPS Need to Know webinar. Along with all the Microsoft Cloud news we’ll be taking a look at Copilot Cowork.

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite.

You can register for the regular monthly webinar here:

May Registrations

(If you are having issues with the above link copy and paste – https://bit.ly/n2k2605 )

The details are:

CIAOPS Need to Know Webinar – May 2026
Friday 29th of May 2026
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Youtube channel.

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

CIAOPS AI Dojo 012

What’s the session about?

This month we will be focusing on new Copilot features and updates as well as optimising AI for Small Business.

Who should attend?

This session is perfect for:

IT administrators and support staff
Business owners
People looking to get more done with Microsoft 365
Anyone looking to automate their daily grind

Save the Date

Date: Friday the 29th of May 2026

Time: 9:30 AM Sydney AU time

Location: Online (link will be provided upon registration)

Cost: $80 per attendee (free for Dojo subscribers)

DSPM: The End of Guessing About Your Sensitive Data

Most Microsoft 365 tenants I walk into are flying blind on data.

The sensitivity labels exist. A couple of DLP policies exist. Someone once turned on Insider Risk Management because a consultant said so. And then nothing. Nobody knows what’s working, what’s exposed, or which sensitive files are sitting wide open in a SharePoint site shared with half the planet.

That’s not a security posture. That’s a guess.

The tool that finally ends the guessing is Microsoft Purview Data Security Posture Management. If you’ve got E5 or the Purview Suite and you’re not showing this to your clients, you’re leaving value on the table.

What is DSPM, really?

DSPM is the dashboard that tells you, in plain English, where your sensitive data is sitting unprotected and which users are handling it carelessly. It pulls signals from the tools you already pay for — DLP, Information Protection, Insider Risk Management, Adaptive Protection — and stitches them into one view.

The clever bit is the correlation. Before DSPM, you’d open five different blades, cross-reference three different reports, and still miss half of it. Now the findings and recommendations land on one page, with a one-click path to spin up the matching policy.

That’s not a report. That’s a to-do list with context.

Step-by-Step: turning DSPM on

Portal only. Stay in the GUI — easier for you, easier to hand off to the next admin.

Open the Purview portal

Sign in to the Microsoft Purview portal as a member of the Data Security Management role group, an Insider Risk Admin, or a Compliance Administrator. Global Admin works too, but please don’t use it if you can help it.

Open the DSPM solution

From the home page, go to Solutions → Data Security Posture Management → Overview.

Turn on analytics

On the Overview page, click Turn on analytics. That one switch also enables DLP analytics and Insider Risk analytics behind the scenes if they aren’t already on. One click, three switches. The full checklist is in the Get started with DSPM article.

Wait

Yes, really. The automated scan across your tenant can take up to three days on anything larger than a handful of users. Walk away. Brew a coffee. Come back on Thursday.

Review the recommendations

Back on the DSPM dashboard, open Recommendations. Each one tells you what was found, why it matters, and offers a one-click path to create the DLP or Insider Risk policy that fixes it. You don’t start from a blank policy screen anymore — you start from your tenant’s real gaps.

Track trends over time

Use the Analytics and Reports tabs in client reviews. A trend line of risky activity going down beats any invoice justification I’ve ever tried to write.

Why this actually changes behaviour

“Are we protected?”

That’s the question every SMB owner asks. Most of us have been answering with vibes. Good vibes, educated vibes, but vibes.

DSPM changes the answer. You can point at a number. You can point at a recommendation you actioned last month and the unprotected file count that dropped because of it. You can show, not tell.

For MSPs, that’s a QBR slide that sells itself. For internal IT, it’s the evidence you need when the CFO asks what the Microsoft Purview licence is actually doing for the business.

And if Copilot is already in the tenant — which, let’s be honest, it increasingly is — then DSPM for AI is your next stop. Same lens, pointed at what people are pasting into Copilot prompts and what’s flowing back out.

Copilot doesn’t slow down. Neither does your data sprawl. Use something that keeps up.

DSPM isn’t there to create more work. It’s there to stop the guessing.

Prospects don’t buy in straight lines, so stop trying to force them down one

Most marketing is built on a comforting lie.

That lie is the “nice, neat funnel”.

Awareness.
Consideration.
Decision.
Purchase.

It looks logical. It’s easy to diagram. It makes marketers feel in control.

And it’s almost completely divorced from how people actually buy.

Prospects don’t move in straight lines. They loop, stall, disappear, reappear, second‑guess themselves, ask peers, ignore you for months, then suddenly act. If your marketing assumes linear progress, you’re not guiding buyers—you’re frustrating them.

The problem isn’t your funnel. It’s your assumptions.

Most marketing is designed around how we wish people bought:

Read the blog
Download the guide
Book the call
Buy the service

But real buyers don’t behave like that. Especially in B2B. Especially in IT.

An MSP prospect might:

Hear about you on LinkedIn
Ignore you for six months
Get hit with a security incident
Ask a peer in a WhatsApp group
Re‑read a blog they skimmed months ago
Watch half a webinar
Then finally reach out—already 80% decided

If your marketing only supports one “next step”, you lose relevance the moment they step off your rails.

People buy when their timing aligns, not when your campaign says so

This is where most MSP marketing falls apart.

You’re pushing:

“Book a call”
“Act now”
“Limited time offer”

While the buyer is thinking:

“I need to understand this better”
“Is this actually a problem for me?”
“What happens if I do nothing?”

Forcing urgency doesn’t create trust. It creates resistance.

Good marketing doesn’t push people forward. It removes friction wherever they are.

What non‑linear marketing actually looks like

If people don’t buy in straight lines, your marketing shouldn’t either.

That means:

Content that stands alone (not “part 3 of 7”)
Clear explanations without requiring prior context
Repeated ideas from different angles, not “new for the sake of new”
Easy re‑entry points for people who went quiet

It also means accepting that most prospects will consume far more content than you’ll ever see evidence of.

They’re watching. Reading. Lurking. Evaluating.

Silence does not mean disinterest.

Design for the buyer’s journey, not your sales process

Your sales process is internal. Your buyer’s journey is not.

When you design marketing around your CRM stages, you optimise for reporting—not conversion.

Instead, ask:

What questions are buyers asking before they talk to us?
What objections do they have that they’re not voicing?
What would make them feel smarter, safer, or more confident right now?

Answer those questions—over and over—without demanding anything in return.

Stop trying to control the path

Marketing isn’t about herding people down a funnel.

It’s about being present, useful, and credible whenever the buyer decides to engage.

So stop marketing the way you wish people bought.

Start marketing the way people actually buy: Messy. Non‑linear. On their own timeline.

Your job isn’t to force the journey.

It’s to make sure you’re still relevant when they finally decide to move.

Autopilot + ESP: The Deployment Pattern That Actually Survives Contact With Real Users

If you’re still PXE-booting laptops in the back room in 2026, you owe your techs a better life. Windows Autopilot with a properly configured Enrollment Status Page (ESP) is the MSP deployment pattern that scales — but only if you stop treating ESP as a tick-box and start treating it as the gate that enforces your security posture before the user ever sees a desktop. Here’s the deploy-it-well version.

Prerequisites People Miss

Business Premium gets you the licensing — Entra ID P1, Intune, and Windows 11 Pro/Enterprise entitlements. The bits that actually bite:

Automatic MDM enrollment must be on. Entra admin center → Mobility (MDM and WIP) → Microsoft Intune → MDM user scope = All (or a group). Miss this and the device joins Entra but never enrols into Intune, and the ESP just hangs.
Hardware hash registration path. For anything beyond a one-off, get the reseller to register devices to your tenant at purchase. Manual CSV uploads at OOBE are fine for a test VM; they’re a tax on your L1 team in production.
TPM 2.0 + device attestation are non-negotiable for self-deploying and pre-provisioning scenarios. VMs won’t cut it, and attestation needs outbound HTTPS to vendor-specific endpoints.
Cloud-native over hybrid join. Microsoft’s own guidance is explicit: deploy new devices as Entra-joined. If you’re still standing up the Intune Connector for AD in 2026, have a very good reason written down.

Full list: Windows Autopilot requirements.

Where To Configure

Everything lives in the Microsoft Intune admin center. Two paths you’ll wear out:

Deployment profile — Devices → Windows → Device onboarding → Enrollment → Windows Autopilot → Deployment Profiles → Create profile → Windows PC. User-driven, Entra-joined, Standard user account type, hide EULA and privacy settings, set a device name template, allow pre-provisioned deployment.
ESP profile — Devices → Device onboarding → Enrollment → Windows tab → Enrollment Status Page → Create. Do not edit the default “All users and all devices” profile — create your own and give it a higher priority.

References: Configure Windows Autopilot profiles and Set up the Enrollment Status Page.

The Rollout Pattern That Works

Three rings, same as your update rings. Don’t skip this.

Pilot (IT / internal). Loose ESP — Block device use = No, timeout 90 minutes, log collection on. You want visibility, not gates.
Early adopters. ESP enforced at the device phase only. Block device use = Yes, timeout 60 minutes, custom error message with your service desk number. Turn off the User / Account Setup phase — the overwhelming majority of ESP failures happen there, and device-targeted apps have already installed by that point.
Production. Lock it. Required blocking apps = your EDR (Defender), BitLocker initiation, and one small “canary” Win32 app that proves apps are actually flowing. No more than five blocking apps total.

Assign both profiles to a dynamic device group filtered on (device.devicePhysicalIDs -any _ -contains "[ZTDId]") so Autopilot-registered devices land automatically.

Top Pitfalls

Too many blocking apps. Every blocking app is a potential ESP timeout. Keep it to security essentials; let the rest stream in post-desktop via required assignments.
User-phase ESP left enabled. User-targeted apps plus Known Folder Move plus OneDrive sync at first login is a timeout factory. Disable the account setup phase unless you have a specific, measured reason to keep it.
Dynamic group latency. Group membership can take minutes to evaluate and devices race ahead of policy. Mitigation: move to Autopilot device preparation (enrollment-time grouping) for new greenfield tenants, or accept the ring-one pilot friction as the cost of dynamic groups.

For the broader lifecycle picture, start at Overview of Windows Autopilot.

Deploy it once, deploy it tight, and your zero-touch goes from aspirational to boring — which is exactly what production should be.

If I had fun, it’s sustainable. And that’s the real game.

Most MSPs I speak to are exhausted.

They’re exhausted from chasing the next tool, the next framework, the next silver bullet that’s meant to “fix” their business. They’re exhausted from content they feel obligated to create, services they feel pressured to offer, and noise they feel they must contribute to just to stay relevant.

So let me offer a much simpler filter. One that’s kept me sane, productive, and moving forward for a long time.

If I had fun, it’s sustainable. I’ll do it forever.
If it’s useful, I’m adding value, not contributing to the noise.
If I learn something, it’ll get better and better.

Do those three things consistently and, over the long term, you cannot lose.

Fun isn’t fluff — it’s fuel

“Fun” gets a bad rap in business. It’s often dismissed as unprofessional or indulgent. But fun isn’t about mucking around. Fun is energy. It’s momentum. It’s the difference between something you force yourself to do and something you keep coming back to.

If you dread writing content, you won’t do it consistently.
If you hate delivering a service, you’ll eventually resent your customers.
If you’re bored by your own business, burnout is guaranteed.

Sustainability doesn’t come from discipline alone. It comes from enjoyment. The things you genuinely enjoy are the things you’ll refine, improve, and stick with when motivation dips — and it always does.

MSPs who last aren’t the ones who “work the hardest”. They’re the ones who build a business they don’t secretly want to escape from.

Useful beats loud. Every time.

The internet doesn’t need more hot takes, recycled vendor slides, or AI‑generated waffle pretending to be insight.

Your customers don’t need more noise either.

Useful content and services do one thing well: they help someone move forward. They answer a real question. They reduce confusion. They remove friction. They save time, money, or stress.

That’s value.

If what you’re producing wouldn’t genuinely help one of your own customers tomorrow, stop. Don’t publish it. Don’t sell it. Don’t build it just because “everyone else is”.

Being useful compounds. Noise disappears.

Learning is the unfair advantage

Here’s the part most people miss.

When you’re having fun and being useful, learning becomes automatic.

You notice gaps.
You spot patterns.
You refine your thinking.

Each iteration gets slightly better than the last. Your writing improves. Your delivery sharpens. Your positioning clarifies. Your confidence grows — not from hype, but from competence.

This is how authority is actually built. Not by claiming expertise, but by accumulating it through repetition and reflection.

MSPs who keep learning don’t panic when tools change. They understand principles. They adapt faster because they’ve already done the thinking.

Consistency beats optimisation

Everyone wants the “right” strategy. The perfect offer. The ideal funnel.

But long‑term success doesn’t come from perfect planning. It comes from consistent execution guided by simple rules.

Ask yourself:

Did I enjoy doing this?
Did it genuinely help someone?
Did I learn something along the way?

If the answer is yes to all three, keep going. You’re on the right path.

You don’t need to win today. You just need to avoid losing over time.

And if you build a business where you’re having fun, adding value, and getting better every iteration?

That’s not just sustainable.

That’s unstoppable.

Attack Surface Reduction Rules in Microsoft 365 Business Premium: A Practical Deep Dive

If you manage Business Premium tenants for SMB clients, Attack Surface Reduction (ASR) rules are arguably the highest-leverage defensive control you’re not fully exploiting. They ship with Defender for Business (included in Business Premium), they cost nothing extra to enable, and they block the precise behaviours that commodity ransomware and living-off-the-land attacks depend on — Office spawning child processes, Win32 API calls from macros, credential theft from LSASS, and PSExec-style lateral movement. This post assumes you already know what ASR is. The goal here is to help L2/L3 engineers deploy it without breaking line-of-business apps.

Prerequisites the documentation underplays

ASR has hard dependencies that silently downgrade rules to “not configured” if missed. Microsoft Defender Antivirus must be the active AV (not passive, not disabled by a third-party product), real-time protection must be on, and cloud-delivered protection must be on — several rules won’t evaluate without cloud lookups. Verify these under Microsoft Defender portal → Endpoints → Configuration management → Device configuration, and confirm the device shows as “Active” in the device inventory. Tamper Protection must also be enabled tenant-wide; without it, local admins or malware can disable ASR in seconds.

Where to configure in Business Premium

Business Premium gives you two supported paths. The simplified experience lives at security.microsoft.com → Device configuration → Next-generation protection / Firewall, but ASR rules specifically are configured through Intune. In the Microsoft Intune admin center, go to Endpoint security → Attack surface reduction and create an “Attack surface reduction rules” profile targeting Windows 10/11. Avoid mixing this with legacy Endpoint Protection templates or Group Policy — conflicting sources result in the classic “last writer wins” behaviour, and you will spend hours chasing phantom rules. If a device is co-managed or has stale GPOs, check Event Viewer → Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational (event IDs 1121, 1122, 5007) to confirm which source applied.

The rollout pattern that works

Do not flip rules straight to Block. The proven pattern is: enable every rule in Audit mode, leave it for two to four weeks, then review the ASR report at security.microsoft.com → Reports → Attack surface reduction rules. Filter by rule and by device, identify the noisy ones, and build per-rule exclusions before switching to Block. Where available, use Warn mode as a staged step — the user gets a toast and can unblock once, which is invaluable for finance teams running macro-heavy spreadsheets. Warn mode is Windows 10 1809+ only; older builds silently treat it as Block.

Start with the “standard protection” set Microsoft recommends: Block credential stealing from LSASS, Block abuse of exploited vulnerable signed drivers, and Block persistence through WMI event subscription. These have the lowest false-positive rate and the highest return. The two rules that most commonly break things are “Block Office applications from creating child processes” (breaks legitimate mail-merge and older add-ins) and “Block executable content from email client and webmail” (breaks zipped installers).

Pitfalls to pre-empt

Exclusions are path-based and case-sensitive on the file name portion — wildcards work on folders, not extensions. Per-rule exclusions (added in later releases) are preferred over global Defender exclusions; use them so you don’t inadvertently hole-punch the whole AV. If a rule appears to do nothing, check whether the device is in EDR block mode and whether Defender is the active AV — ASR is silently disabled under third-party AV. Finally, ASR events do not always surface as alerts; plumb them into your SIEM via the Defender API or Advanced Hunting (DeviceEvents where ActionType startswith "Asr").

References

CIA Brief 20260502

Microsoft 365 Copilot & AI Agents

Microsoft 365 E7 and Agent 365 are now generally available (1 May) — Microsoft’s new top-tier M365 SKU and the Agent 365 platform have moved to general availability. https://techcommunity.microsoft.com/blog/microsoft_365blog/microsoft-365-e7-and-agent-365-are-now-generally-available/4516295(opens in new window)
Copilot in Outlook — new agentic experiences for email and calendar (27 Apr) — New agent-driven capabilities in Outlook to autonomously triage email and manage calendar tasks. https://techcommunity.microsoft.com/blog/outlook/copilot-in-outlook-new-agentic-experiences-for-email-and-calendar/4514601(opens in new window)
GPT-5.5 Thinking and ChatGPT Images 2.0 in Microsoft 365 Copilot (27 Apr) — Both new OpenAI models are available today inside M365 Copilot, adding deeper reasoning and updated image generation. https://techcommunity.microsoft.com/blog/microsoft365copilotblog/available-today-gpt-5-5-thinking-and-chatgpt-images-2-0-in-microsoft-365-copilot/4514243(opens in new window)

Microsoft 365 Apps & Productivity

Get more out of Microsoft Clipchamp with these little-known features (1 May) — Tips on under-used Clipchamp features for video editing inside M365. https://techcommunity.microsoft.com/blog/microsoft365insiderblog/get-more-out-of-microsoft-clipchamp-with-these-little%E2%80%91known-features/4514855(opens in new window)
Microsoft 365 Backup — granular restore now GA (29 Apr) — Item-level / granular restore is now generally available in the M365 Backup service. https://techcommunity.microsoft.com/blog/microsoft_365blog/microsoft-365-backup-granular-restore-now-generally-available/4515936(opens in new window)
Converse naturally across languages with consecutive interpretation (25 Apr) — New M365 Insider feature delivering live consecutive interpretation between speakers. https://techcommunity.microsoft.com/blog/Microsoft365InsiderBlog/converse-naturally-across-languages-with-consecutive-interpretation/4514327(opens in new window)

Security & Defender

Enterprise Security Assessment — a strategic lens for mission-critical environments (30 Apr) — Framework for assessing security posture in mission-critical workloads. https://techcommunity.microsoft.com/blog/microsoftmissioncriticalblog/enterprise-security-assessment-a-strategic-lens-for-mission-critical-environment/4515991(opens in new window)
EDR coexistence by design — a practical starting point to Defender (30 Apr) — Guidance on running Microsoft Defender alongside third-party EDR tools during transition. https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/edr-coexistence-by-design-a-practical-starting-point-to-defender/4515265(opens in new window)
Email threat landscape Q1 2026 — trends and insights (30 Apr) — Microsoft’s quarterly report on phishing, BEC and email-borne attack trends. https://www.microsoft.com/en-us/security/blog/2026/04/30/email-threat-landscape-q1-2026-trends-and-insights/(opens in new window)
Granular email content access with unified RBAC — now default for new Defender for Office 365 tenants (29 Apr) — New tenants get the granular RBAC model by default for controlling who can read email content during investigations. https://techcommunity.microsoft.com/blog/MicrosoftDefenderforOffice365Blog/granular-email-content-access-with-unified-rbac-%E2%80%93-now-the-default-for-new-defend/4505344(opens in new window)

Identity (Microsoft Entra)

You can’t govern what you can’t see — closing the identity visibility gap for apps (30 Apr) — Entra capabilities to discover and govern app identities that are typically invisible to admins. https://techcommunity.microsoft.com/blog/microsoft-entra-blog/you-can%E2%80%99t-govern-what-you-can%E2%80%99t-see-closing-the-identity-visibility-gap-for-apps/4507464(opens in new window)

Microsoft Sentinel

What’s new in Microsoft Sentinel — April 2026 (1 May) — Monthly roundup of feature updates, connectors, and detection improvements in Sentinel. https://techcommunity.microsoft.com/blog/MicrosoftSentinelBlog/what%E2%80%99s-new-in-microsoft-sentinel-april-2026/4516354(opens in new window)

Exchange Online

Deprecating legacy TLS and endpoints for POP and IMAP in Exchange Online (27 Apr) — Timeline and impact for the retirement of legacy TLS versions and older POP/IMAP endpoints. https://techcommunity.microsoft.com/blog/exchange/deprecating-legacy-tls-and-endpoints-for-pop-and-imap-in-exchange-online/4515201(opens in new window)

Corporate / Earnings

Microsoft FY26 Q3 earnings — press release & webcast (29 Apr) — Microsoft’s third-quarter FY26 financial results announcement page. https://www.microsoft.com/en-us/Investor/earnings/FY-2026-Q3/press-release-webcast

After hours

Starship – Test like you Fly – https://www.youtube.com/watch?v=ANe_HW4X8oc

Editorial

If you found this valuable, the I’d appreciate a ‘like’ or perhaps a donation at https://ko-fi.com/ciaops. This helps me know that people enjoy what I have created and provides resources to allow me to create more content. If you have any feedback or suggestions around this, I’m all ears. You can also find me via email director@ciaops.com and on X (Twitter) at https://www.twitter.com/directorcia.

If you want to be part of a dedicated Microsoft Cloud community with information and interactions daily, then consider becoming a CIAOPS Patron – www.ciaopspatron.com.

Watch out for the next CIA Brief next week