CIAOPS Need to Know Microsoft 365 Webinar – July

laptop-eyes-technology-computer_thumb

Now in our tenth year!

Join me for the free monthly CIAOPS Need to Know webinar. Along with all the Microsoft Cloud news we’ll be taking a look at Why Your Microsoft 365 Is Still a Mess (Even with AI).

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite.

You can register for the regular monthly webinar here:

July Registrations

(If you are having issues with the above link copy and paste – https://bit.ly/n2k2607 )

The details are:

CIAOPS Need to Know Webinar – July 2026
Friday 31st of July 2026
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Youtube channel.

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

CIAOPS AI Dojo 14

image

What’s the session about?

This month we will be focusing on new Copilot Cowork features and updates as well as optimising AI for Small Business.

Who should attend?

This session is perfect for:

  • IT administrators and support staff
  • Business owners
  • People looking to get more done with Microsoft 365
  • Anyone looking to automate their daily grind

Save the Date

Date: Friday the 31st of July 2026

Time: 9:30 AM Sydney AU time

Location: Online (link will be provided upon registration)

Cost: $80 per attendee (free for Dojo subscribers)

Register Now

The AI Toolkit Monetization Strategy: Building Enterprise Value with Microsoft Technologies

image

I’ll start with something that won’t win me any friends at the next AI meetup: owning the cleverest AI tool in the room won’t make you a cent. Not the model, not the agent, not the prompt you spent a weekend perfecting. I’ve watched a lot of people fall in love with the technology and then wonder why the invoices aren’t getting any bigger. The uncomfortable truth is that nobody pays for tools. They pay for problems disappearing.

Think about a carpenter for a moment. A carpenter doesn’t get wealthy selling you a single hammer off the back of the ute. They get paid because they walk onto a site, look at a house that needs building or a roof that’s letting the rain in, and they know exactly which tool to reach for and when. The hammer matters, but only because of the hand holding it and the job it’s pointed at. That’s the mindset I think anyone serious about AI needs to adopt — and if your organisation already lives inside the Microsoft cloud, you’ve quietly been handed a very good toolkit. Most people just haven’t worked out how to pick it up.

The hammer: Copilot and Azure OpenAI

The language model is your hammer. It’s the tool you swing by hand, and it’s genuinely powerful — but it does what you tell it, no more. In the Microsoft world that’s Microsoft Copilot sitting across your Outlook, Word and Teams, with Azure OpenAI underneath when you need to build something bespoke.

Here’s where most people get it wrong: they treat Copilot like a fancier search box. They type a vague half-question, get a vague half-answer, and conclude the whole thing is overhyped. The people getting real value approach it with a bit of discipline. The way I think about it is four steps — mission, ask, parameters, shape.

Start with the mission: the business outcome, not the chore. Don’t ask Copilot to “find me some leads.” Tell it you need thirty new enterprise clients this quarter to hit a revenue target. Then comes the ask — one sharp, specific request, like pulling together forty qualified IT directors in healthcare with their contact details. Then parameters — the context and the guardrails. This is where Copilot in Microsoft 365 earns its keep, because you can point it straight at the files in your SharePoint or OneDrive so it’s reasoning over your data, not a guess about the world. A tip I lean on constantly: dictate your context rather than typing it. The voice option in Copilot lets you talk through the background in thirty seconds, and you talk far faster than you type. Finally, shape — tell it the format you want. A clean table, a CSV you can drop into Excel, a tight bulleted summary. Stop reformatting things by hand like it’s 2015.

The screwdriver: Power Automate

A hammer needs a fresh swing every single time. The moment you find yourself doing the same AI-assisted task over and over, you’ve outgrown it. That’s when you reach for the screwdriver — automation — and in the Microsoft stack that’s Power Automate with AI Builder doing the heavy lifting.

The shift here is subtle but enormous. Instead of opening Copilot every morning to run the same prompt, you build a flow once and let it run on a schedule or off a trigger, quietly, in the cloud, forever.

Not everything deserves a flow, though, and this is where people burn weeks they’ll never get back. I run three quick tests before building anything. Is it repetitive — happening at least weekly, ideally daily? Is it rule-based, with predictable inputs and a predictable result? And does it actually pay back — does the time saved over a year dwarf the time spent building it? Don’t spend sixty hours constructing a flow that rescues someone two minutes a week. That’s not automation, that’s a hobby.

A example I like: a sales call recording lands in a Teams channel. Power Automate sees it, AI Builder pulls the transcript, reads the sentiment, drops the action items straight into Dynamics 365, and posts a tidy weekly summary back into the leadership channel in Teams. Nobody touched it. That’s the screwdriver doing its job.

The power drill: Copilot Studio

Then there are the jobs where you don’t want to define the steps at all — you just want the outcome. That’s the power drill, and Microsoft’s answer is Copilot Studio, where you build agents that handle whole processes on their own.

With the hammer and the screwdriver, you’re still drawing the map. With an agent, you describe the destination and let it find its own way through the subsystems. The trick to doing this without disaster is what I’d call staying on the loop rather than in it. Pick a genuinely meaty workflow — vendor onboarding end to end, say, from reading the invoice email, to cross-checking your Dataverse tables, to running compliance, to setting up billing. Then, and this is the hard part, don’t keep grabbing the wheel. Let it run.

Two habits make this safe. First, have agents check each other — a builder agent in Copilot Studio writes a script, and a separate reviewing agent picks it apart for security gaps before anything reaches a human. Second, watch for drift. An agent grinding away over hours or days can slowly lose the plot, so your role becomes the manager who inspects, resets the context when it wanders, and keeps it pointed at the goal.

The orchestrator gets paid

Here’s the part that actually moves the money. Owning these three tools doesn’t make you rich. Conducting them does. The orchestrator is the one who looks at a bleaking supply chain or a drowning support desk and reaches across the whole Microsoft AI toolkit — Copilot, Power Automate, Copilot Studio — to make the pain stop.

Your clients don’t lie awake wondering whether you used GPT-4o through Azure or a Copilot Studio agent. They lie awake about their costs. Solve that, and the technology underneath becomes a footnote. Problems are where the value lives.

So the real shift isn’t learning another tool. It’s moving from doing the work to directing it. Step back, find the problem worth solving, and orchestrate the kit you already own.

Outlook Draft Instructions vs Microsoft 365 Copilot Personalization — what’s the difference and which takes priority?

image

I see a lot of people trying out Microsoft 365 Copilot for Outlook, then asking why the emails it drafts don’t sound like them. Many end up manually tweaking every email Copilot writes, thinking it’s unavoidable.

“Why does Copilot always add ‘I hope you’re well’? I’m spending more time editing than drafting!”

Sound familiar? That’s not a failure of Copilot. That’s a missed opportunity. If you keep re-teaching Copilot your style every time you use it, you’re doing it wrong. The solution: set up the right instructions once, so Copilot learns how you want your emails written from the start.

What are Outlook Draft Instructions and Copilot Personalization, really?

Think of them as layers of guidance for Copilot. Outlook Draft Instructions are your email-specific preferences stored in Outlook. They’re all about how your email drafts should look: friendly vs formal tone, how long or detailed to make messages, whether to use bullet points, how to greet people, the sign-off you prefer—basically, how to sound like you in email (https://support.microsoft.com/outlook/copilot-outlook/ask-copilot-to-make-email-drafts-sound-like-you).

By contrast, Microsoft 365 Copilot Personalization is your global Copilot profile—the custom instructions and memory that apply across all Copilot experiences in Microsoft 365 (Word, Outlook, Teams, etc.), not just email. These personalization settings let Copilot know your role, typical audience, and general communication style so it can tailor any response, in any app, closer to what you need (Customize how Microsoft 365 Copilot responds to you).

Put simply: Draft Instructions tell Copilot how to handle your emails, while Copilot Personalization defines how Copilot behaves everywhere. And there’s no mystery about which one takes priority. When you click Draft with Copilot in Outlook, here’s the order in which Copilot follows your instructions:

  • Your prompt (highest priority): Anything you explicitly ask for (tone, style, language, etc.) in the prompt overrides everything else.

  • Outlook Draft Instructions: Your app-specific email defaults; used whenever your prompt doesn’t override them.

  • Global Copilot Personalization: Your general preferences fill any gaps not covered by your prompt or Outlook’s instructions.

  • Organizational policies: These always apply for compliance and safety (e.g. Data Loss Prevention (DLP) blocking sensitive info) but they don’t affect writing style.
Step-by-Step: Fine-tune Copilot for your email style
Open Outlook’s Copilot Draft Instructions

To set this up, you’ll need the new Outlook (or Outlook on the web) since the feature isn’t in classic Outlook’s UI. In the new Outlook on Windows or web, click the Copilot icon in the compose window. From the dropdown, select Settings, then click Draft Instructions.

Add your email style preferences

Turn on Use custom instructions when drafting email. Now type a short description of how you want Copilot to draft your emails. Be specific about tone, structure, greetings, and sign-offs. Do you prefer concise messages or detailed ones? Formal language or a friendly vibe? For example, you might write:

Use a friendly tone.
Start each email with "Hi [Name],".
Avoid corporate jargon and fluff.
Sign off with "Thanks, [Your Name]".

Notice what’s missing? We didn’t mention anything about length or level of detail in those instructions. That’s on purpose – if you leave something out here, Copilot will fall back to your global Personalization settings to fill in the blanks.

Set global Copilot Personalization

Next, open your Microsoft 365 Copilot settings (for example, in the Copilot Chat app or via the Copilot sidebar in any Office app). Go to Settings and select Personalization. Under Custom instructions, add broad guidance about yourself and your style that should apply everywhere. Tell it who you are and how you like your output across Microsoft 365. For instance, “I’m a small business owner writing for busy clients, so keep everything concise and professional.” Save your instructions.

Why this changes how you email

Once you’ve set up these preferences, you’ll stop fighting with Copilot’s tone and phrasing. Instead of manually fixing greetings or trimming fluff each time, you get drafts that fit your style on the first try. It’s like hiring an assistant who already knows your voice—from day one.

Better yet, showing your clients how to configure these settings is an easy win. It reduces their frustration with generic AI output, boosts their trust in Copilot, and makes you look like a trusted advisor. If you’re not helping them set their Copilot’s style, you’re leaving a lot of value on the table.

Copilot’s drafting preferences aren’t about adding complexity – they’re there to remove it.

Set them up once, and you can stop rewriting Copilot’s emails and start reaping the benefits of an AI that truly sounds like you.

Why your DLP policy isn’t DLP (and how to fix it in Microsoft 365)

image

Most SMBs think they’ve “done DLP” because they ticked a box in Exchange.

They scan outbound email.

They block the occasional credit card number.

They call it done.

That’s not DLP. That’s transport filtering.

Real data loss doesn’t just leave through email anymore. It walks out via USB, clipboard, browser uploads, and users who don’t realise they’re doing anything wrong.

If you’re only protecting email, you’re protecting yesterday’s risk.

The shift is simple: stop thinking about where data leaves, and start thinking about where data lives and how it’s used.

What is Microsoft Purview DLP, really?

At its core, Microsoft Purview DLP is a policy engine that watches how sensitive data is used and shared, then steps in when it shouldn’t be.

Not just email. Not just files.

Behaviour.

It looks across Microsoft 365 — Exchange, SharePoint, Teams — and now endpoint devices as well.

That matters.

Exchange DLP scans emails and attachments and enforces actions.
Endpoint DLP extends this to USB copies, printing, clipboard, and uploads.

“We’ve got DLP on email, so we’re covered.”

No, you’ve just moved the problem somewhere else.

Data will always find another path out.

Step-by-Step: building a real DLP policy (Exchange + endpoint)
1. Go to the Purview portal

Navigate to Data loss prevention → Policies → Create policy.

2. Choose your locations

Select Exchange Online and Devices.

3. Define what matters

Use built-in sensitive information types and add context like external recipients.

4. Choose actions that teach

Warn, block, or allow override with justification.

5. Turn on endpoint coverage

Monitor and control how sensitive data is used directly on devices.

User copies sensitive file to USB → Block
User uploads to personal cloud → Block
User tries to email externally → Warn or encrypt

Notice what’s missing?
Separate tools.

Why this actually changes behaviour

Most security controls are reactive.

DLP — when done right — isn’t.

It works in the moment.

That’s the real win.

Instead of cleaning up incidents, you prevent them.

And you educate users while they work.

“Why did that get blocked?”

Now you’ve got a conversation instead of a breach.

My recommendation?

Start with one policy that covers Exchange and Endpoints. Run in audit mode. Then enforce.

Security doesn’t fail at the perimeter anymore. It fails in the moment of use.

DLP isn’t there to watch data leave.
It’s there to stop it leaving in the first place.

A Cleaner Way to Connect PowerShell to Microsoft Teams

image

If you still rely on Connect-MicrosoftTeams with an interactive sign-in every time you need to do some administration, you already know the frustration.

Scripts stop and wait for credentials. Scheduled tasks simply can’t run unattended. MFA prompts interrupt automation. And if you’re managing multiple tenants as an MSP, jumping between browser windows and authentication prompts quickly becomes tedious.

Microsoft has supported certificate-based authentication for Teams PowerShell for some time. The challenge hasn’t been the technology. The challenge has been the setup.

I’ve created a script that handles that process for me, removing most of the manual work and making certificate-based authentication something I can deploy consistently across customer tenants. The approach follows the same design philosophy I’ve been using for Exchange Online and other Microsoft 365 workloads: automate the plumbing so I can focus on the outcome. You can find it here:

https://github.com/directorcia/Office365/blob/master/o365-connect-tms-cert.ps1

and the documentation is here:

https://github.com/directorcia/Office365/wiki/Certificate-based-connection-for-Teams

What the Script Actually Does

The script operates in two primary modes.

The first mode, -GenerateLocalCertificate, creates a self-signed certificate on the local machine and exports the information needed for authentication. If required, it can also provision the Entra ID application automatically. The local certificate becomes the device’s identity when connecting to Teams PowerShell.

The second mode, -UseCertificateAuth, performs the actual Teams connection using the existing certificate and application registration. No password. No browser pop-up. No MFA prompt in the middle of an automated process.

The really useful feature is combining certificate generation with application provisioning. In a single operation the script can:

  • Create the local certificate

  • Authenticate to Microsoft Graph using device code authentication

  • Create or reuse an Entra ID application registration

  • Upload the certificate to the application

  • Create the required service principal

  • Assign the necessary permissions

  • Store the configuration details for future use

Tasks that typically involve multiple portals, several copy-and-paste operations, and more than a few opportunities to make mistakes can be reduced to a single repeatable process.

Why Certificate Authentication Matters

The biggest advantage is that you’re no longer tying automation to an admin account.

Traditional approaches often depend on an account that someone logs into interactively. That works fine until MFA settings change, conditional access rules are updated, or the account password expires.

Certificate authentication shifts the trust model. Instead of trusting a username and password, Microsoft validates the certificate installed on the machine against the certificate registered in Entra ID. If they match, the connection succeeds. If they don’t, access is denied.

That makes the solution both more secure and more reliable.

For MSPs, it also provides a cleaner operational model. Each technician workstation can have its own certificate while sharing the same application registration inside the customer tenant. If a machine is retired or a staff member leaves, removing the associated certificate immediately blocks access from that device without affecting anyone else.

The MSP Advantage

This is where the approach starts to shine.

A common question is whether every machine requires a separate application registration. The answer is no.

The design I prefer is a single Teams application per tenant with multiple certificates attached to it. Each device gets its own unique certificate, but all of them authenticate through the same application registration. That keeps administration simple while still maintaining proper separation between devices.

When a new technician needs access:

  1. Run the provisioning process.

  2. Generate a new certificate.

  3. Associate it with the existing application.

  4. Start working.

When access needs to be removed:

  1. Delete the certificate association.

  2. Access from that machine immediately stops.

No password resets. No account changes. No disruption for other administrators.

Getting Started

If you’re still connecting to Teams PowerShell interactively for daily administration, I’d encourage you to investigate certificate-based authentication.

The technology isn’t new. What’s important is reducing the complexity required to deploy it.

The real benefit isn’t that you save a few clicks when connecting. The real benefit is that you create a repeatable, secure authentication framework that supports automation, improves operational consistency, and removes dependence on administrator credentials.

For MSPs managing multiple tenants, that’s a significant improvement.

The less time I spend authenticating, the more time I spend solving customer problems. And that, ultimately, is the point.

The Most Important Part of Productivity Is the Product

image

I had a conversation last week that’s stuck with me. Someone was describing their week — back-to-back meetings, an inbox wrestled down to zero, a colour-coded calendar that would make a project manager weep with joy. They were exhausted and, oddly, proud of it. So I asked a simple question: what did you actually make? Long pause. The honest answer was “not much.” A full week of motion, and almost nothing to show for it.

We’ve quietly redefined productivity to mean busyness. How fast you reply. How many minutes you squeeze from a day. How efficiently you move between tasks. But strip the word back and the heart of it isn’t the activity — it’s the product. The thing that exists now that didn’t exist on Monday morning. The proposal that’s written. The decision that’s made. The client problem that’s solved. Everything else is just noise around the signal. We measure the noise because it’s loud and easy to count. The signal is quieter, and it’s the only part that actually matters.

Motion is easy to measure. Output is the hard part.

The reason we drift toward efficiency is that it’s comfortable. You can count emails sent and meetings attended. You feel the satisfaction of a tidy inbox. But none of those are products — they’re scaffolding. I’ve watched people spend an entire afternoon “getting organised” and call it a good day’s work, when really they just rearranged the furniture. The week looked productive. Nothing was produced.

This is where I think Copilot changes the conversation, and not in the way the marketing suggests. The point isn’t that it makes you faster at the busywork. It’s that it takes the busywork off the table, so what’s left is the actual product. When I ask Copilot in Outlook to summarise a long thread and draft the reply, I haven’t saved twenty minutes — I’ve removed a task that was never the point. The reply was never my product. The thinking behind it was.

Spend the time you save on something worth showing.

That’s the part people miss. The danger isn’t that Copilot does the low-value work — it’s what you do with the gap it opens up. If Copilot pulls your meeting notes and action items together in Teams, and you spend that reclaimed hour clearing three more emails, you’ve efficiency-ed yourself in a circle. But if you use it to write the strategy document you’ve been avoiding, or to think properly about a client’s problem in Word with Copilot helping shape the argument, the tool has earned its place. Or you point Copilot at a messy spreadsheet in Excel, ask it what the numbers are really saying, and walk into the meeting with an answer instead of a pile of data. The output, not the speed, is the scorecard.

I’ve started asking myself a blunt question at the end of each day, and I’d suggest you try it. Not “was I busy?” — I’m always busy. The question is: what can I point to? What did I produce that someone else could pick up, use, or judge? Some days the answer is a single solid thing, and that beats a day filled with forty small tasks that vanish the moment they’re done.

Copilot has made me more honest about this, because once the friction is gone, you can’t hide behind it. The empty afternoon is exposed for what it is. That’s the real shift worth watching — not doing things faster, but finally being able to ask whether the thing was worth doing at all.

Entra ID Password Protection + Smart Lockout

image


People still obsess over password complexity.

Twelve characters. Special symbols. Rotation every 90 days.

And yet accounts still get compromised.

That’s because attackers don’t guess random passwords anymore. They guess human passwords.

That’s not a complexity problem. That’s a behaviour problem.

So instead of arguing about password rules, I push clients to focus on two things they already have in Microsoft 365:

Password Protection and Smart Lockout.

Quietly running. Often ignored. Rarely tuned.

Here’s what actually matters.


What is Entra ID Password Protection + Smart Lockout, really?

It’s not a password policy.

It’s a filter and a shield.

Password Protection stops users from choosing bad passwords in the first place.

It uses a global banned password list driven by Microsoft telemetry and blocks weak or common passwords automatically—no configuration required. [learn.microsoft.com]

On top of that, you can add your own banned terms. Company names. Locations. Products. The obvious stuff attackers try first.

Then there’s Smart Lockout.

This is what most people misunderstand.

It’s not “lock the account after X attempts”.

That’s old thinking.

Smart Lockout can distinguish between a real user fat-fingering a password and an attacker trying thousands of guesses. [learn.microsoft.com]

Same identity. Different treatment.

Attackers get blocked quickly.

Real users keep working.

That’s not a nicer lockout policy.

That’s a signal-driven control.

“But we already have account lockout on-prem.”

Exactly.

And that’s the problem.


Step-by-Step: Tune Password Protection and Smart Lockout

Portal only. No scripts. No excuses.

1. Open Password Protection settings

Go to:

Entra admin centre
Protection
Authentication methods
Password protection

This is the only place you need.

2. Add a custom banned password list

Add terms like:

  • Company name variations

  • Internal product names

  • Common abbreviations

  • Location names

These get evaluated alongside the global list and block weak variants automatically. [learn.microsoft.com]

Not just exact matches.

Variants.

That’s the key.

3. Review Smart Lockout threshold

Default is:

Most SMBs never touch this.

My recommendation?

Lower it slightly only if you understand user behaviour.

Too low and you create support tickets.

Too high and you give attackers room to work.

You’re not tuning numbers.

You’re tuning friction.

4. Set lockout duration

Default starts short (around a minute) and increases with repeated attempts. [learn.microsoft.com]

That’s deliberate.

Short for users.

Painful for attackers.

If you override this, be careful.

Long lockouts punish users.

Short lockouts reward attackers.

5. Leave Smart Lockout on (always)

Important:

Smart Lockout is already enabled.

There’s nothing to “turn on”.

There’s only:

  • Leaving it alone

  • Or breaking it
6. Pair it with MFA (properly)

Password protection is not enough.

Microsoft is very clear on that.

Use it alongside MFA and Conditional Access. [learn.microsoft.com]

Otherwise you’re just slowing attackers down.

Not stopping them.


Why this actually changes behaviour

This is the part most MSPs miss.

These features don’t just block attacks.

They retrain users.

Bad password?

Rejected.

Repeated guessing?

Blocked.

Users learn quickly what works and what doesn’t.

No training session required.

No PDF sent out.

No awareness campaign.

The system corrects behaviour in real time.

“We’ll just educate users instead.”

You can.

Or you can enforce it once and let the platform do it forever.

Ask once. Enforce always.

Here’s the real win:

  • Fewer compromised accounts

  • Fewer lockout tickets

  • Fewer “why is this happening?” calls

And importantly:

  • Better outcomes with less effort

That’s the bit most people overlook.


Notice what’s missing?

No password complexity discussion.

No rotation debates.

No “special characters required”.

Because those don’t solve the real problem.

Attackers aren’t brute-forcing randomly anymore.

They’re spraying expected passwords across thousands of accounts.

Password Protection removes the obvious targets.

Smart Lockout kills the attack path.

Different layers.

Same outcome.


Passwords aren’t going away.

But weak passwords should.

And repeated guessing definitely should.

Password Protection isn’t there to make passwords stronger.

It’s there to make bad passwords impossible.