Defender XDR unified incident queue

Most MSPs I talk to are still triaging Defender alerts one console at a time. Open Defender for Endpoint, jump to Defender for Office 365, check Entra sign-in logs, back to the device timeline. Five tabs, five clocks, no story.

That’s not response. That’s archaeology.

Defender XDR fixed this. The unified incident queue sits in the Microsoft Defender portal and stitches signals from Endpoint, Office 365, Identity, Cloud Apps and Entra into a single container called an incident. One incident, one timeline, one place to act.

If you’re still working from individual alert lists, you’re doing the correlation work the platform already did for you.

What is the unified incident queue, really?

An alert is one signal — a flagged email, a process anomaly, a risky sign-in. An incident is what Defender builds when it stitches several of those alerts into one attack story across products. Same user, same device, same attacker IP, same hour, one incident.

You stop looking at noise and start looking at attacks. Microsoft frames it exactly that way in Incidents and alerts in the Microsoft Defender portal.

Notice what’s missing? Sentinel. You don’t need it to get value from this queue.

Step-by-Step: Working an incident properly

Open the queue

In security.microsoft.com, expand Investigation & response > Incidents & alerts > Incidents. That’s your home page now. Pin it.

Triage the top of the list

Sort by Severity. For each new incident, assign an owner, set status to In progress, and add a tag like ransomware-suspect or bec-suspect so the rest of your team can filter on it. Microsoft walks through this on Manage incidents in Microsoft Defender.

Open the attack story

Inside the incident, click Attack story. You get a graph — users, devices, files, mailboxes — with events in order. This is where the correlation pays off. You’re not joining tabs in your head anymore.

Hunt for the rest of it

If the incident feels like one footprint of a bigger campaign, open Hunting > Advanced hunting and run a KQL query against the relevant table. Bookmark the Advanced hunting overview(opens in new window) — it lists every table the queue can see across all the Defender workloads.

A starter:

DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("Invoke-WebRequest","DownloadString","certutil")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine

Notice what’s missing? PowerShell. You’re not running this from a remote shell. It runs in the portal, against the same data the incident was built from. That’s the point.

Save the good queries as detections

Any hunting query you’d happily wake up to at 3am can become a custom detection rule. From Advanced hunting, hit Create detection rule. Defender runs your query on a schedule and the matches feed straight back into the incident queue. The flow is documented in the Custom detections overview.

That’s the loop. Hunt once, detect forever.

Why this actually changes behaviour

“Where do I start?” becomes “What story is Defender telling me?”

When the queue is your home page, your team stops chasing alerts and starts closing incidents. The numbers you report to clients become incidents closed, median time to triage, active attack stories — not raw alert counts nobody can interpret.

The custom detection layer is where MSPs separate themselves. The product gives you the correlations Microsoft thought of. The rules you write are the correlations your clients need. Stack a few by vertical — finance, legal, construction — and you have a productised security service the next MSP down the road doesn’t.

The unified queue isn’t there to give you fewer alerts. It’s there to make alerts something you can actually work.

The Founder Is the Ceiling

I’ve watched plenty of MSP owners import a new strategy — a pricing model, a sales motion, an AI practice — and then sit back waiting for results that never quite arrive. The framework is fine. The consultant was competent. The slide deck is tidy. Nothing lands. After the third or fourth time you see this pattern, you start to suspect the strategy was never the problem. The person running it was running the same way they always had, with the same instincts, the same blind spots, the same calendar. And the strategy, for all its elegance, quietly gathers dust.

Strategies borrow their ceiling from the founder

Here’s the uncomfortable bit. Every strategy in your business is quietly capped by whoever owns it at the top. A sales playbook built for disciplined follow-up doesn’t survive contact with a founder who hates picking up the phone. A managed services model built around proactive account reviews doesn’t work for an owner who still treats quarterly business reviews as optional. A cyber practice built on hard conversations about risk doesn’t get off the ground when the founder is uncomfortable delivering bad news to clients. The strategy isn’t weak. It’s just being run through the wrong instrument. You can buy a better playbook, hire a better consultant, pay for a better PSA, and you’ll still end up with results shaped by your own habits. That’s not a criticism. It’s just mechanics. The business is a reflection of the person at the top, and the ceiling on your strategies is almost always the ceiling on you.

The tool is a mirror, not a transformation

This is where I see Copilot quietly doing more than most owners realise. Not as a productivity gadget — as a mirror. When I open Copilot in Outlook and ask it to summarise the week’s inbox, I’m confronted with what I’ve actually been spending my time on, not what I thought I was spending my time on. When I ask Copilot in Teams to pull the decisions out of a client meeting, I notice which decisions I keep ducking. When I use Copilot Chat to pressure-test a proposal before I send it, I catch lazy thinking I would have signed off on a year ago. None of that changes my strategy. It changes me. That’s the part that makes the strategy finally move. The upgrade isn’t in the tool. It’s in the habit of using the tool to confront how I actually work, then doing something about what I find. That is a very different thing to rolling Copilot out across the tenant and calling it a transformation.

The hardest part is seeing yourself

Most founders I talk to are genuinely willing to change their business. Far fewer are willing to change themselves. We’ll restructure the team, rewrite the service catalogue, and re-platform the ticketing system before we’ll look honestly at our own calendar, our own decision-making, or our own tolerance for avoidance. The interesting thing is that the same Microsoft 365 tools we’re selling to clients — Copilot, Loop, Planner, SharePoint — are the ones that expose our own patterns if we let them. A Loop page tracking your weekly commitments will tell you the truth about your follow-through in about a fortnight. That’s a confronting experience, and it’s where the real upgrade starts.

Before you import your next strategy, ask a harder question. What would I have to become for this to actually work in my business? If the honest answer is “someone I’m not yet”, the strategy isn’t the first thing that needs upgrading. You are. Everything else in the business eventually rises or falls to that line. That’s not an easy sentence to sit with. It’s also the one I keep coming back to whenever I watch a good strategy fail to stick.

What is connecting Copilot agents to Dataverse, Graph, and connectors, really?

When people hear “Copilot Studio agent,” they picture a chatbot. That’s the wrong mental model. A modern agent is a reasoning layer sitting on top of three very different pipes: your business data in Dataverse, your organisational content in Microsoft Graph, and the wider universe of SaaS via Power Platform connectors.

Each pipe has its own auth story. And that’s where almost every SMB and MSP rollout I see comes unstuck.

That’s not a configuration problem. That’s an identity problem dressed up as a configuration problem.

Step-by-Step: wiring an agent to the three pipes

Set the agent’s authentication first

Before you add a single tool, go to Settings → Security → Authentication in your agent. Pick Authenticate with Microsoft. This uses Microsoft Entra ID to identify whoever is chatting — and it’s the prerequisite for almost everything that follows.

Skip this step and your agent runs as nobody. Which means it can’t read Dataverse on the user’s behalf, can’t honour SharePoint permissions, and can’t call a connector as the signed-in user. Get the front door right and the rest gets easier.

Add a Dataverse table as knowledge

Open Knowledge → Add knowledge → Dataverse. You can wire up to 15 tables per agent. Two things that catch people out:

Dataverse search must be enabled on the environment first.
Add synonyms and glossary terms for any column where your users speak a different dialect to the schema.

“Why doesn’t it find my open opportunities?”

Because your column is called statuscode and your users say “stage.” Synonyms fix that.

Add a Microsoft 365 Graph connector for content

Graph connectors are the other knowledge model — they index external content (Jira, ServiceNow, file shares, intranets) into the same semantic graph that Copilot already uses for Teams, SharePoint, and mail. Set them up in the Microsoft 365 admin center → Search & intelligence → Connectors. ACL-based permission trimming is preserved, so users only see what they’re allowed to see. Microsoft has a clear overview here.

Notice what’s missing? Dataverse is agent-scoped knowledge. Graph connectors are tenant-scoped knowledge. Different governance owners. Plan accordingly.

Add a connector as a tool

In your agent, Tools → Add a tool → Connector. Pick a standard, premium, or custom Power Platform connector. Now the agent can act — create a row, post to Teams, hit your line-of-business API.

Tool = action. Knowledge = retrieval. Don't confuse the two.

Pick the right credentials mode

Every tool asks one question that quietly decides your security posture: Maker Credentials or End User Credentials?

Maker Credentials: the connection runs as you, the builder. Easy demos. Terrible for anything user-specific.
End User Credentials: each chatter authenticates with their own account. Slightly more clicks for users. The only sensible default for production. Details here.

My recommendation? Default to End User and only fall back to Maker when there’s a genuine service-account scenario — like reading a shared mailbox.

Why this actually changes behaviour

Here’s the real win. Once authentication is correctly threaded through the agent, the same prompt produces different, personally-relevant answers for every user — because it’s their identity flowing into Dataverse, their Graph results coming back, their connector permissions being honoured.

That’s not a chatbot. That’s a tenant-aware assistant.

The other thing I notice with clients: governance conversations get easier. “Who can see what?” becomes a question of existing Entra groups and Dataverse row security — not a brand-new permissions matrix you have to invent for the agent.

Get the auth pattern right once and every agent you build afterwards inherits it. Get it wrong and you’ll be unpicking the same mess for months.

Wire the pipes. Mind the credentials. Ship something your clients actually trust.

Advance — Use It to Upgrade Your Actual Life

There’s a line I keep repeating. If you’re not reaching for AI every working hour of every day, you’re leaving a silly amount of productivity on the floor. That’s not a pep talk. That’s the baseline now.

But the bit I don’t say loudly enough — the part that actually matters — is this: work is the shallow end. The real compounding doesn’t happen in your quarterly numbers. It happens in the life you build around them.

The job isn’t using it at work

Most people I talk to are still framing AI as a work tool. A faster way to write an email. A quicker way to build a deck in PowerPoint. A cleaner summary of yesterday’s Teams meeting. All useful. All, honestly, the least interesting thing it can do for you.

The long game is personal. You have been handed, for the price of a monthly subscription, a patient thinking partner who will sit with you on any problem, any time of day or night — no ego, no judgement, no billable hour. Whether that’s a Saturday morning over coffee or the drive home after a rough day. Most of my team haven’t really used it that way yet. Honestly, neither had I, until recently.

Every friction point is now a prompt

Think about the things you’ve been avoiding for weeks. They tend to share a shape. A hard conversation with a business partner. A decision about whether to move the family interstate. A contract for a property that you don’t fully understand and don’t want to ask your agent about in front of the vendor.

Every one of those is now a prompt.

Last month I dropped a forty-page purchase agreement into Copilot and asked it to surface everything that wasn’t in my favour. It took about ninety seconds. I walked into the next conversation with three questions I would never have thought to ask, and one clause I’d been about to sign away without a second look. The deal shifted. That moment — that shift — is what I’m talking about.

The conversation you’ve been dreading? Open Copilot in Word, write out what you want to say, and have it stress-test the tone, the gaps, the places you’re being unfair or being walked on. Weighing a big life decision? Give it your situation, the options and what you actually care about, and let it play devil’s advocate until you can hear your own thinking more clearly. Piles of messy personal documents sitting in OneDrive? Point Copilot at them and start asking.

Disrupt yourself first

The job of a good CEO is to look eighteen months down the track and protect the business from whatever’s coming. Most of us accept that as obvious for the companies we run.

Almost none of us apply it to our own lives.

Your job, right now, as a human being, is exactly the same. Look eighteen months ahead. Ask what’s going to be true then about how work, relationships, careers and decisions get made. Then disrupt yourself before the world does it for you — because the world absolutely will.

The people who quietly pick this up — who use Copilot not just for their inbox but for the harder, more personal stuff — are going to look up somewhere in 2027 and realise they’re living a noticeably different life. Not because AI saved them a few minutes on email. Because they used it to think better, decide better, and act earlier than the people around them.

Absorb. Assemble. Align. Advance.

Start today.

Techwerks 30–24 June 2026

CIAOPS Techwerks face to face returns to Melbourne CBD on Wednesday the 24th of June 2026.

The course is limited to 20 people and you can sign up and reserve your place now! You reserve a place by completing this form:

http://bit.ly/ciaopsroi

or by sending me an email (director@ciaops.com) expressing your interest.

The content of these all day face to face workshops is driven by the attendees. That means we cover exactly what people want to see and focus on doing hands on, real world scenarios. Attendees can vote on topics they’d like to see covered prior to the day and we continue to target exactly what the small group of attendees wants to see. Thus, this is an excellent way to get really deep into the technology and have all the questions you’ve been dying to know answered. Typically, the event produces a number of best practice take aways for each attendee.

Recent testimonial – “I just wanted to say a big thank you to Robert for the Brisbane Techworks day. It is such a good format with each attendee asking what matters them and the whole interactive nature of the day. So much better than death by PowerPoint.” – Mike H.

The cost to attend is:

Gold Enterprise Patron = $50 ex GST

Gold Patron = $90 ex GST

Silver Patron = $180 ex GST

Bronze Patron = $360 ex GST

Non Patron = $720 ex GST

I hope to see you there.

Maybe Lists is a better tool?

Most SMBs I walk into are tracking something important in the worst possible place.

An Excel file pinned to a Teams channel. A shared OneNote page. A SaaS tracker they pay for monthly because no one told them there was already one in the tenant.

Then they wonder why nothing gets logged, why two people overwrote each other’s edits, and why the boss can’t see what’s going on.

That’s not a process problem. That’s a tooling problem.

There’s a free, already-licensed, surprisingly capable tracker sitting in every Microsoft 365 plan you sell. Most of your clients have never opened it.

What is Microsoft Lists, really?

It’s a structured tracker. Rows and columns, like a spreadsheet — but every column has a type (date, person, choice, number, attachment), so nobody fat-fingers a status into the wrong column.

It lives in SharePoint underneath, surfaces in Teams as a channel tab, and has its own icon on the Microsoft 365 app launcher. Same list, three doors in.

And it brings two things Excel will never give you: a built-in form for people who shouldn’t see the whole list, and built-in rules that fire emails when things change. No Power Automate. No premium connector. No developer.

A spreadsheet in a Teams channel isn’t a tracker. It’s a graveyard with column headers.

Step-by-Step: build a working tracker in ten minutes

Open Lists from the app launcher

Hit the waffle in Microsoft 365, pick Lists, click + New list. You’re at the list creation chooser.

Pick a template, not a blank list

I know — you want to start from scratch. Don’t. Templates ship with sensible columns, conditional formatting, and views already done. Issue tracker and Work progress tracker cover most SMB scenarios. Adjust later.

Save it to a SharePoint site, not “My lists”

The one step everyone gets wrong. My lists is personal storage — the list can’t easily be moved to a team site later. Save it under the SharePoint site behind the relevant Team. Future-you will thank present-you.

Share the form, not the list

Open your new list and click Forms on the toolbar. The list’s own form pops up. Hit Share form, copy the link, send it to your client, your supplier, the new starter — anyone who shouldn’t see the whole pipeline. Their answers land as new rows. They never see the list itself.

Add a rule from the Automate menu

Click Automate > Rules > Create a rule. Pick a trigger — a column changes, a new item is created, an item is deleted, a date approaches. Pick the column, the value, the person to notify. Done. Microsoft’s own guide walks the same path.

When Status changes to Blocked
notify Assigned To

Notice what’s missing? Power Automate. Premium licensing. A developer. Rules cover the boring 80% of automation. Save Power Automate for the genuinely complex 20%.

Pin it as a tab in Teams

In the relevant channel, click + at the top, pick Lists, choose Add an existing list, paste the SharePoint URL. Now the team uses it where they already work. The official Teams guide spells it out.

Why this actually changes behaviour

“I’ll just email it to you.”

That’s the line that kills every SMB tracker. People email instead of logging.

A Lists form sitting on a channel tab fixes that in a way a spreadsheet never will. Anyone clicks + New, fills four fields, presses save. The rule emails the right person automatically. The boss opens the same list and sees everything, in real time, sortable, filterable, with history.

Meet people where they already are.

Lists isn’t there to compete with your project management tool. It’s there to replace the spreadsheet your clients are pretending is one.

If you’re rolling out Microsoft 365 Business Premium and you’re not showing clients this, you’re leaving value on the table they already paid for.

Align — Your Team Has To Be In On It

I’ve been watching a pattern play out in MSP after MSP lately, and it’s worth naming. The owner or managing director is genuinely switched on about AI. They’re up early on a Saturday tinkering with prompts. They’re subscribed to half a dozen newsletters. They’ve run a pilot on quoting, or proposal drafts, or ticket triage. They can tell you, with real confidence, what GPT-5 does differently to Claude.

Then Monday morning rolls around.

You walk past the techs’ desks and someone is printing a spreadsheet out to “have a proper look at it”. The account manager is manually copying fields from one system into another. The service coordinator is re-reading a long email thread for the third time trying to figure out what the client actually agreed to. Not one of them has opened an AI chat today. Maybe not this week.

The leader has moved. The business hasn’t.

The solo-operator trap

This is where most MSP AI journeys quietly stall. The owner is thinking AI-first. The team is still thinking the way they thought in 2022. And because the owner is the one doing all the experimenting, they can tell themselves a comforting story — we’re on it, we’re ahead of the curve, we’re investing in AI. On paper, yes. In the business, no.

Real adoption isn’t measured by how many prompts the boss has saved or how many pilots are running. It’s measured by what an average Tuesday looks like for the people doing the work. If the first instinct when someone hits a hard problem is to ring a colleague, send an email, or open a spreadsheet — AI hasn’t arrived yet. It’s just a hobby the owner has.

That’s a confronting thought, but it’s the honest one.

You are the coach now

The shift that moves the needle isn’t another tool or another pilot. It’s a change in your job description. At the next team meeting, you stop reporting on AI and start teaching it.

Walk your people through what you tried this week. Show them the prompt that didn’t work, then the one that did. Show them the output that saved you forty minutes on a scope. Let them see you thinking out loud. You don’t need to be an expert — you need to be visibly in motion. That’s what gives them permission to start moving too.

If you’re the most AI-literate person in the building and you keep it to yourself, you’re not leading. You’re collecting.

Make AI the front door

Here’s the non-negotiable I’d put in place this week, and it costs nothing. Every person in the business sets an AI chat — Claude, ChatGPT, or Gemini, pick one — as their browser homepage. Not Google. Not the intranet. Not the weather.

Every single time someone opens a browser, an AI chat window is the first thing they see. A blinking cursor, waiting for a question.

It sounds small. It’s not. Most of the friction stopping people from using AI isn’t capability, it’s habit. They forget it’s there. A homepage removes the remembering. It puts the tool under their nose, dozens of times a day, until asking it first stops feeling like a new behaviour and starts feeling like the normal one.

The real alignment test

So here’s the question I’d sit with. If I walked into your office on a random Tuesday and watched your team for an hour — not you, them — would I see an AI-first business, or would I see a business with an AI-first owner?

If the answer isn’t the same for both, that’s your next piece of work.

Copilot in Teams meetings

People keep telling me Copilot in Teams “writes notes for them”.

That’s not what it does. That’s what an action item list does.

What Copilot does is let you ask a meeting questions. Live, while it’s happening. Or three days later when someone CCs you in and asks for an opinion.

Most SMBs I work with have it switched on and have no idea. Staff have a Copilot license, the meeting has a transcript ticking along, and the Copilot pane sits there unused while everyone scrambles to take their own notes.

Notice what’s missing? The bit where someone actually uses it.

What is Copilot in Teams meetings, really?

It’s a question box that knows what was just said.

You open the Copilot pane during a call, type a question — what have we decided?, what did Sarah commit to?, am I even needed on this one? — and it answers from the live transcript.

After the meeting, that same pane becomes the intelligent recap: chapters, AI-generated notes, suggested follow-ups, and timestamps that jump you straight to the moment someone said the thing that matters.

That’s the whole product. Live Q&A on the meeting, plus a navigable recap after. There’s a broader catalogue of AI features in Teams, but this is the one that earns the license on day one.

Step-by-Step: Turning it on properly

Two things have to be true for any of this to work: a Copilot license on the user, and transcription enabled for the meeting. Without a transcript, the Copilot pane has nothing to read.

Here’s the order I run it.

Enable transcription in the meeting policy

In the Teams admin centre, go to Meetings → Meeting policies, open the policy that applies to your Copilot users, and switch Allow transcription to On. The default global policy is off in some tenants. Check.

Turn Copilot on in the same policy

Same screen, scroll down. Set Copilot to On with or without transcription for genuine flexibility, or On only with transcription if you want a paper trail every time. My recommendation? The second one, especially for any regulated client.

Set the room expectation

Drop one line into the meeting invite: This meeting uses Microsoft Copilot. A transcript will be generated. Teams shows attendees a banner anyway when transcription starts, but writing it once removes the awkward moment.

Show people the pane

Open a meeting. Click the Copilot icon in the toolbar. Ask it something live. Then do it again from the recap tab after the meeting ends. Two clicks. That’s the training.

Why this actually changes behaviour

The win isn’t the summary. The win is what people stop doing.

Here’s the real one. They stop typing notes mid-meeting. They stop joining meetings they didn’t need to be in, because the recap takes two minutes afterwards. They stop emailing what did we agree? — they ask Copilot, and it answers with a timestamp.

Can I just ask what I missed? Yes. That’s the whole point.

Copilot doesn’t replace the meeting. It replaces the scramble around the meeting.

For regulated clients, the privacy notes for intelligent recap are worth ten minutes — they’re the answer when a client asks “but is this safe?”

Copilot in Teams meetings isn’t there to take notes for you. It’s there to make notes optional.

If you’re not showing your SMB clients this in their next review, someone else will.