Need to Know podcast–Episode 364

A weekly roundup of Microsoft Cloud news with a focus on SMBs. Key topics include Microsoft’s internal testing of an always-on AI assistant, major security threats such as Russian state-sponsored router hijacking and advanced phishing attacks, updates to Microsoft Teams, and a retrospective on SharePoint’s evolution. Robert also discusses the challenges and strategies for adopting AI in business, emphasizing the need for a unified, collaborative approach to AI usage within organizations.

Brought to you by www.ciaopspatron.com

you can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-365-siloed-ai/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

or Spotify:

https://open.spotify.com/show/7ejj00cOuw8977GnnE2lPb

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show

Resources

CIAOPS Need to Know podcast – CIAOPS – Need to Know podcasts | CIAOPS

X – https://www.twitter.com/directorcia

director@ciaops.com

CIAOPS Blog – CIAOPS – Information about SharePoint, Microsoft 365, Azure, Mobility and Productivity from the Computer Information Agency

Join my Teams shared channel – Join my Teams Shared Channel – CIAOPS

CIAOPS Merch store – CIAOPS

Become a CIAOPS Patron – CIAOPS Patron

CIAOPS Brief – CIA Brief – CIAOPS

CIAOPS Labs – CIAOPS Labs – The Special Activities Division of the CIAOPS

Support CIAOPS – Support CIAOPS

Get your M365 questions answered via email

Join the CIAOPS Email list – Please fill out this form

A special thanks to the CIAOPS Patron community for making this podcast possible. You can find the benefits of a subscription to the community and become a member at https://www.ciaopspatron.com

Show notes

Microsoft tests ‘ClawPilot’ AI agent for 3,000 staff

SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks

What’s New in Microsoft Teams | April 2026

ClickFix campaign uses fake macOS utilities lures to deliver infostealers

The Future of SharePoint

Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise

Tuning Safe Links and Safe Attachments in Defender for Office 365 Without Breaking Your Tenant

If you’re running M365 Business Premium for clients, Safe Links and Safe Attachments are already doing work — whether you configured them or not. The Built-in protection preset applies to every mailbox the moment Defender for Office 365 is licensed. The question isn’t “is it on?” — it’s “is it tuned for the way your client actually receives mail?” Out of the box, it’s closer to a safety net than a security control.

Prerequisites MSPs skip

Before you touch a single policy, confirm three things. First, mail has to flow through Exchange Online Protection. Hybrid tenants with a third-party gateway in front (Mimecast, Proofpoint, anything rewriting URLs) will often cause Safe Links to skip wrapping — Microsoft explicitly warns that pre-wrapping can prevent Safe Links from processing the link at all. Second, confirm licensing: Safe Links and Safe Attachments require Defender for Office 365 Plan 1 (included in Business Premium). Plan 2 features (Safe Documents, Threat Explorer real-time detections) need separate entitlement. Third, set quarantine notifications up before you tighten policies — users need end-user spam notifications or a quarantine policy with access enabled, or your service desk gets the entire phishing queue.

Where to configure — Standard preset, not custom, 90% of the time

The Microsoft Defender portal is your canonical surface: security.microsoft.com → Email & collaboration → Policies & rules → Threat policies. From there:

Preset security policies for 90% of clients. Enable Standard, assign to all recipients by domain.
Safe Links and Safe Attachments tiles are for custom policies — only use them when a specific user group needs different behaviour (execs on Strict, a lab OU excluded, etc.).
Configuration analyzer — this is the tile most MSPs never click. It diffs your current policies against Standard and Strict baselines and flags every setting that’s weaker than Microsoft’s recommendation.

Microsoft’s own guidance is explicit: prefer presets over custom policies. See Set up Safe Links policies and Set up Safe Attachments policies.

The rollout pattern that actually works

Don’t flip Strict on Monday morning. Use a three-ring rollout:

Ring 1 — IT and security-aware staff (week 1). Assign Standard preset. Watch quarantine, false-positive submissions, and user complaints. This ring tolerates noise.
Ring 2 — a tolerant business unit (week 2–3). Finance is usually a bad pilot (high-volume invoices with wrapped URLs confuse people). Pick sales ops, marketing, or IT-adjacent teams.
Ring 3 — everyone else (week 4+). By now you have a real signal on which domains need Tenant Allow/Block entries.

For Strict preset, add a fourth ring limited to exec and finance groups — or leave it off. Strict’s aggressive bulk thresholds (BCL 4) will blow up newsletters and marketing workflows. Details at Preset security policies.

Top three pitfalls

1. Custom policies silently overriding presets. Preset security policies have the highest priority except when a custom policy explicitly targets the same user. If you inherited a tenant with a custom Safe Links policy from 2019 that says AllowClickThrough = true, it beats your shiny new Standard preset. Audit first: open every existing policy before assigning presets.

2. Over-allowlisting domains. Every entry in “Do not rewrite the following URLs” is a permanent click-through exception. Treat it like firewall rules — justify, document, review annually. A forgotten *.sharepointdomain.com wildcard is how payloads land.

3. Ignoring the Configuration analyzer. Run it quarterly. Tenants drift: an admin raises a threshold to silence a complaint, nobody reverses it, six months later the baseline is gone. The Configuration analyzer surfaces this in one screen.

Tune deliberately, measure through Threat Explorer, and treat preset policies as your default — the time to build a custom policy is when you can describe exactly which preset setting it’s overriding and why.

A Great Product Scales. A Great System Scales. But Leaders Multiply.

Most MSPs I talk to are chasing scale.

More endpoints. More seats. More tools. More revenue per engineer.

And that makes sense—up to a point.

But here’s the uncomfortable truth: products scale. Systems scale. Dashboards scale. Yet the thing that actually determines whether an MSP breaks through the next ceiling isn’t any of those.

It’s leadership.

In particular, whether you’re multiplying your people—or slowly becoming the bottleneck without realising it.

The Hidden Scaling Problem in Many MSPs

I see this pattern constantly.

The MSP owner is sharp. Knows the stack inside out. Answers client questions quickly. Fixes problems fast. Reviews every proposal. Tweaks every process.

On the surface, it looks like control. Underneath, it’s fragile.

Because when knowledge, judgement, and decision‑making live in one or two heads, the business doesn’t really scale—it stretches. And stretched systems eventually snap.

This is where Microsoft 365 Copilot genuinely changes the conversation—not because it “does AI”, but because it shifts who can think, decide, and act with confidence.

Copilot Isn’t About Speed. It’s About Trust.

When I work with MSP teams implementing Copilot properly, the biggest change isn’t faster emails or prettier documents.

It’s trust.

A junior engineer can review a complex email thread and ask Copilot to summarise what actually matters—before responding to a client.

A service manager can draft options for a tricky renewal conversation without escalating every time.

An account manager can walk into a QBR already across usage, risks, and open issues—without waiting for someone else to spoon‑feed them.

That’s not automation. That’s capability transfer.

Instead of leaders being the thinking engine for the business, Copilot becomes a quiet amplifier that helps the team think better on their own.

Systems Scale. Leaders Multiply.

Here’s the distinction I think too many MSPs miss.

Systems help people follow rules. Leaders help people exercise judgement.

Copilot sits squarely in the second category—if you use it intentionally.

I’ve seen MSPs roll it out as “another tool” and get negligible value. Everyone plays with prompts for a week, then goes back to old habits.

The MSPs getting real results are doing something different: they’re pouring into their people.

They’re teaching staff how to reason through problems using Copilot as a second brain. How to sanity‑check assumptions. How to prepare before asking for help instead of defaulting to escalation.

That’s leadership multiplication.

And it compounds faster than any new tool rollout ever will.

What This Means for MSP Owners

If you’re serious about scaling, the question isn’t “Have we deployed Copilot?”

It’s:

Are my people making better decisions without me?
Are conversations getting clearer, not noisier?
Are we reducing dependency on tribal knowledge?

Copilot won’t fix weak leadership. But in the hands of leaders who invest time, context, and expectation into their teams, it accelerates growth in ways traditional systems never could.

The Return Might Surprise You

Here’s what tends to happen when MSP leaders commit to developing people—not just installing tools.

Fewer interruptions. Faster client responses without panic. Better internal conversations. More confidence across the business.

And eventually, something even more valuable: space.

Space to think strategically instead of reactively. Space to focus on the business instead of being trapped inside it.

So yes—great products scale. Great systems scale.

But if you want an MSP that genuinely grows without breaking, keep pouring into your team.

That return doesn’t just surprise you.

It changes everything.

Shipping Intune App Protection Policies for BYOD: What Actually Works in Production

App Protection Policies (APP, sometimes called MAM) are the single highest-ROI control in Business Premium for BYOD. You get corporate data containerisation on an unenrolled iPhone or Android device in about an afternoon — if you avoid the usual landmines. Here’s the pattern I ship to MSP clients.

Prerequisites people miss

APP only protects apps that implement the Intune App SDK (Outlook, Teams, Word, Edge, OneDrive, etc.). That’s most of M365, but not every third-party app the user loves. Before you touch a policy:

Every targeted user must have an Intune Plan 1 licence (bundled in Business Premium and the E3/E5 stack).
Company Portal must be installed on Android. iOS doesn’t strictly need it for MAM-WE (without enrolment), but Authenticator is required for sign-in brokering.
For Android, you need the Play Integrity verdict configured if you plan to block rooted devices — and Play Store access, which rules out many China-market devices.
Decide now whether you’ll pair APP with a Conditional Access grant of Require app protection policy. If yes, your CA policy needs to exclude break-glass accounts and any service accounts that hit Graph from mobile.

See the App protection policies overview for the full support matrix.

Where to configure

Everything lives in the Microsoft Intune admin center at intune.microsoft.com:

Apps → App protection policies → Create policy → pick iOS/iPadOS or Android. You create one policy per platform.
Target apps: start with “Selected apps” and pick the core Microsoft apps. Do not start with “All Microsoft Apps” — you’ll regret it the first time Teams Rooms or a hybrid meeting app trips the policy.
Data protection settings: align with Microsoft’s Level 2 enterprise enhanced framework as your default. Level 1 is too loose for anyone storing client data; Level 3 breaks copy/paste workflows most SMBs rely on.
Access requirements: PIN of 6 digits, biometric allowed, 30-minute offline grace.
Conditional launch: jailbreak/root = Block access, min OS version = current−1, max PIN attempts = 5 → Wipe data. Full reference at Conditional launch actions.

The rollout pattern that actually works

Three rings, two weeks each, no exceptions:

Ring 0 — IT and champions (5–10 users). Assign to a dynamic security group. Set Conditional launch actions to Warn, not Block. Let it bake. You are looking for app conflicts, not policy correctness.
Ring 1 — Pilot department (25–50 users). Flip conditional launch to Block. Enable CA “require app protection policy” in report-only mode. Watch sign-in logs for a week — you will find the one user still using the native iOS Mail app.
Ring 2 — Everyone. Move CA to On. Decommission any “allow legacy auth” exceptions at the same time — clients will push back, hold the line.

Use assignment filters (not separate groups) to carve out corporate-owned devices from BYOD rules. It scales; groups don’t.

The three pitfalls that bite

1. Policy conflicts silently pick the most restrictive value. If a user is in two groups with different PIN lengths, they get the longer one — and no error surfaces. Run one policy per platform per persona. Document which group wins.

2. Selective wipe isn’t device wipe. Apps → App selective wipe removes corporate data from managed apps only — photos, personal iMessages, the user’s Spotify library all stay. Train your service desk to say this out loud when an employee leaves. Also: the wipe only fires the next time the user opens the app, and can take 30 minutes.

3. Conditional launch “Min OS version” will brick users overnight. When Apple ships iOS 19 and you’ve set “Min OS version = 18”, a user on 17 walks in on Monday and can’t open Outlook. Always pair Min OS version with a Warn action first, run it for a fortnight, then escalate to Block.

Get these three right and APP is genuinely boring — which, for mobile security, is exactly what you want.

CIA Brief 20260509

Here’s a summary of the 10 stories posted in the Patrons News channel over the last 7 days, grouped by topic.

Security & Threat Intelligence

SOHO router compromise leads to DNS hijacking and AiTM attacks — Microsoft Threat Intelligence reports that Russian military-linked actor Forest Blizzard (sub-group Storm-2754) has compromised insecure home/small-office routers, redirecting DNS to attacker-controlled infrastructure to enable adversary-in-the-middle attacks against Outlook on the web. Over 200 organisations and 5,000 consumer devices have been impacted since August 2025. https://www.microsoft.com/en-us/security/blog/2026/04/07/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks/
ClickFix campaign uses fake macOS utilities to deliver infostealers — Threat actors are posting fake macOS troubleshooting guides on Medium, Squarespace and Craft pages instructing users to paste Terminal commands that install Macsync, Shub Stealer or AMOS infostealers, which exfiltrate Keychain entries, iCloud data and crypto wallet keys (and sometimes replace Ledger, Trezor and Exodus apps with trojanised versions). https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/
Multi-stage ‘code of conduct’ phishing leads to AiTM token compromise — A large credential-theft campaign (April 14–16) targeted ~35,000 users across 13,000 organisations in 26 countries, mostly US, using polished “internal regulatory” emails with PDF attachments. The chain ran through CAPTCHAs and staging pages before hitting an AiTM Microsoft sign-in flow that captures auth tokens. https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/

Microsoft 365 Product Updates

What’s new in Microsoft Teams – April 2026 — Headline features include Copilot call delegation, Interpreter agent enhancements (consecutive interpretation, sign-language attribution), targeted messages from agents, sensitivity-label inheritance for recordings and Loop notes, an External Domains Anomalies Report, and Teams Phone user multi-line (up to 10 numbers per user). https://techcommunity.microsoft.com/blog/microsoftteamsblog/whats-new-in-microsoft-teams–april-2026/4515907
Microsoft 365 E7 and Agent 365 are now generally available — Microsoft’s new top-tier M365 SKU and the Agent 365 platform have moved to general availability (announced 1 May 2026). https://techcommunity.microsoft.com/blog/microsoft_365blog/microsoft-365-e7-and-agent-365-are-now-generally-available/4516295
Get more out of Microsoft Clipchamp with these little-known features — A walk-through of Brand kits for consistent logos/colours/fonts, fade and blur transitions, automatic captions, aspect-ratio presets for repurposing content, and built-in stock search — plus Copilot in the Clipchamp video hub for searchable, summarised playback. https://techcommunity.microsoft.com/blog/microsoft365insiderblog/get-more-out-of-microsoft-clipchamp-with-these-little%E2%80%91known-features/4514855

Identity, Security & SIEM Platform

Lock down AI, web and private apps – what’s new in Internet Access and Private Access — Updates to Microsoft Entra’s Global Secure Access covering tighter controls for AI traffic, web and private application access. https://techcommunity.microsoft.com/blog/microsoft-entra-blog/lock-down-ai-web-and-private-apps-what%E2%80%99s-new-in-internet-access-and-private-acce/3847825
What’s new in Microsoft Sentinel – April 2026 — RSAC-aligned updates including OSINT reports inside Threat Analytics, hard cost-limit enforcement for KQL queries and notebooks, new connectors (CrowdStrike, Imperva Cloud WAF, AWS ELB, rebuilt Logstash output plugin), Sentinel data federation, custom graphs, MCP entity analyzer GA and a Claude MCP connector. https://techcommunity.microsoft.com/blog/MicrosoftSentinelBlog/what%E2%80%99s-new-in-microsoft-sentinel-april-2026/4516354

CIAOPS Content

CIA Brief 20260502 — Robert’s weekly roundup of Microsoft 365, Copilot, AI and security news for the week ending 2 May 2026, covering items including the M365 E7 / Agent 365 GA announcement. https://blog.ciaops.com/2026/05/02/cia-brief-20260502/

Archive / Reference

The Future of SharePoint (2016 post) — Jeff Teper’s original “Future of SharePoint” announcement from May 2016, unveiling the cloud-first, mobile-first SharePoint vision, modern team sites, the SharePoint mobile app and the SharePoint Framework. Reposted to the channel for reference. https://www.microsoft.com/en-us/microsoft-365/blog/2016/05/04/the-future-of-sharepoint/

After hours

Why Would Anyone Live in NYC? – https://www.youtube.com/watch?v=POg3_b9txwM

Editorial

If you found this valuable, the I’d appreciate a ‘like’ or perhaps a donation at https://ko-fi.com/ciaops. This helps me know that people enjoy what I have created and provides resources to allow me to create more content. If you have any feedback or suggestions around this, I’m all ears. You can also find me via email director@ciaops.com and on X (Twitter) at https://www.twitter.com/directorcia.

If you want to be part of a dedicated Microsoft Cloud community with information and interactions daily, then consider becoming a CIAOPS Patron – www.ciaopspatron.com.

Watch out for the next CIA Brief next week

The Market Has Shifted. MSPs Need to Catch Up.

I’m seeing the same pattern play out across MSPs right now, and it has nothing to do with margin, tools, or ticket volume.

It’s about how buying decisions are made.

We’ve quietly moved from a world where MSPs convinced prospects on sales calls to one where high‑agency buyers largely decide before they speak to anyone. By the time they reach out, they’re validating a decision, not asking to be persuaded.

That shift is why sales calls are feeling harder, longer, and more expensive every quarter. And it’s why the way we position Microsoft 365 Copilot matters far more than most MSPs realise.

Your Buyer Has Already Done the Thinking

The SMB leaders I talk to aren’t confused anymore. They’re overloaded—but informed.

They’ve watched demos. They’ve tried tools. They’ve seen AI generate documents, answers, and summaries in seconds. What they’re struggling with isn’t capability, it’s judgement.

They want to know:

What does this actually change about how my team works?
Where does it save thinking time, not just typing time?
What’s safe, sustainable, and embedded into existing workflows?

This is where Copilot quietly wins—and where most MSPs fail to explain it.

Too many conversations still focus on features, licensing, or “AI add‑ons”. That framing belongs to the old market. The new one cares about outcomes and confidence.

Copilot Changes How Work Happens—Not Just How Fast

What I’m seeing with Microsoft 365 Copilot isn’t magic. It’s leverage.

Used properly, Copilot stops work from fragmenting across tools, prompts, and half‑finished ideas. It keeps thinking inside the systems people already live in—Outlook, Teams, Word, meetings, files.

For example, instead of staff chasing context across emails, notes, and chat threads, Copilot helps them reconstruct why a decision was made. Instead of rewriting the same update five times, people start with a structured draft that reflects real business language—not generic AI fluff.

The biggest shift isn’t productivity. It’s cognitive load.

When people spend less time searching, summarising, and re‑explaining, decision quality improves. That’s the kind of value SMB leaders notice quickly—even if they don’t use that language.

Why MSP Sales Models Are Breaking

Here’s the uncomfortable truth: MSPs who rely on long sales calls to educate prospects are already behind.

High‑agency buyers don’t want to be taught basics in a call. They want clarity before the call. They want to self‑qualify, explore scenarios, and understand implications on their own terms.

Copilot fits this shift perfectly—but only if MSPs stop treating it like “another product to sell” and start positioning it as an operational upgrade.

Your role isn’t to demo buttons. It’s to help clients:

decide where Copilot shouldn’t be used yet
align it with real workflows
reduce risk while increasing confidence

That advisory role builds trust long before a proposal is signed.

The MSPs That Will Win

The MSPs pulling ahead aren’t louder or cheaper. They’re clearer.

They create content that helps clients think. They show how Copilot actually fits into meetings, reporting, and daily decision‑making. They let buyers arrive informed—and ready.

The market isn’t asking MSPs to sell harder. It’s asking them to lead better.

Copilot isn’t the story. The shift in how decisions are made is.

If your sales pipeline feels heavier than it used to, that’s not a closing problem. It’s a positioning one.

And it’s fixable—if you meet your buyers where they already are.

Self-Service Password Reset with writeback: the rollout that doesn’t burn your helpdesk

SSPR is a box most MSPs tick on day one of a Business Premium tenant and then never look at again. That’s fine until a hybrid customer calls because Karen changed her password on My Sign-Ins, logged into her domain-joined laptop, and got rejected. SSPR without writeback is half a feature. Here’s how to deploy the whole thing properly.

Prerequisites people miss

The obvious ones — an Entra ID P1 license (included in Business Premium) and either Entra Connect Sync or Entra Connect Cloud Sync — aren’t where rollouts die. The misses are:

On-prem AD permissions for the sync account. The account running Connect (or the Cloud Sync provisioning agent) needs Reset password, Change password, Write lockoutTime, and Write pwdLastSet on the user OUs. The Connect wizard grants these if you let it; locked-down AD environments often don’t. Writeback fails silently if these are missing.
A matching on-prem password policy. Entra enforces its own complexity rules. If your on-prem policy is stricter (minimum length, history, banned words), a user’s new cloud password will be rejected by AD when it writes back, and the user will see a generic error. Align them before you enable, not after.
Combined registration actually enabled and enforced. Legacy SSPR-only registration still exists in old tenants. If users register methods for MFA but not SSPR, the reset flow blocks them.

See Microsoft’s writeback concept doc for the full supported-operations list: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-writeback(opens in new window).

Where to configure it

Everything is in the Entra admin centre — no PowerShell required for a standard deploy.

Protection → Password reset → Properties to scope SSPR to a pilot group, then all users.
Protection → Password reset → Authentication methods to require two methods and pick which ones (drop SMS, keep Authenticator + email, add Questions only if you must).
Protection → Password reset → On-premises integration to flip writeback on. If you’re using Cloud Sync, enable it in the provisioning agent config per the tutorial: https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-cloud-sync-sspr-writeback(opens in new window).
Protection → Authentication methods → Registration campaign to nudge users into combined registration: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-registration-mfa-sspr-combined(opens in new window).

The rollout pattern that works

Don’t flip it on tenant-wide. The pattern that doesn’t generate tickets:

Pilot group of ~10 — IT plus two friendly business users. Scope SSPR to that group only. Verify a reset from My Sign-Ins actually lands in AD (pwdLastSet on the DC is your proof).
Registration campaign to the pilot for 14 days. Force them through combined registration. Watch the Registration report for stragglers.
Broaden by department, not by “All users.” Finance first, then ops, then field staff. Each wave gets the campaign a week before the SSPR scope flips.
Protect the registration step with Conditional Access. Use Register security information as the user action and require MFA (or a Temporary Access Pass for new starters): https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-security-info-registration(opens in new window). Without this, an attacker who phishes a password can register their own MFA method and own the account.

Top pitfalls

Admins can’t use SSPR the same way users can. Privileged roles are locked to strong methods and can’t rely on Security Questions. Test with an admin-tier account before you cut over — and keep a break-glass account that is explicitly excluded from the CA registration policy.
Writeback “works” but the user still can’t log in. Nine times out of ten this is cached credentials on a domain-joined laptop that hasn’t seen a DC since the reset. Tell the user to connect to the corporate network or VPN and lock/unlock. Bake this into your helpdesk script.
Cloud Sync vs Connect Sync confusion. You can run them side-by-side, but writeback must be enabled on whichever one syncs that user’s domain. Audit first — we’ve seen tenants with both running where writeback was enabled on the wrong one and nobody noticed until a reset failed.

Enable it properly once, and SSPR moves from a compliance checkbox to a real helpdesk-deflection tool.

A Cleaner Way to Connect PowerShell to Exchange Online

If you still rely on Connect-ExchangeOnline with a username, password, and an MFA prompt, you already know the pain. Scripts break overnight. Scheduled tasks fail when a token expires. Service accounts get flagged by conditional access. And the moment someone enables MFA on the admin account you’ve been quietly using, your automation falls over.

I’ve been written a new script —

https://github.com/directorcia/Office365/blob/master/o365-connect-exo-cert.ps1

with full documentation here:

https://github.com/directorcia/Office365/wiki/Connect-to-Exchange-Online-with-Certificates

— that swaps all of that for certificate-based app authentication. There’s nothing exotic about the underlying approach; Microsoft has supported it for years. What’s been missing is a clean, one-shot way to set it up without spending an afternoon clicking through the Entra portal. That’s what this script gives me, and I think it earns its place in any MSP’s toolkit.

What the Script Actually Does

There are two modes, controlled by switches.

-GenerateLocalCertificate creates a self-signed RSA-2048 certificate in your current user’s certificate store, exports the public key as a .cer file, and optionally exports a password-protected .pfx. By default it’s valid for two years. That’s the local side of the handshake.

-UseCertificateAuth is the everyday mode. You tell it which tenant to connect to — or let it look up the details in a profile map file — and it signs into Exchange Online using that certificate. No password. No browser. No MFA dialog.

The clever bit is the third option: combining -GenerateLocalCertificate with -ProvisionEntraApp -Tenant 'contoso.onmicrosoft.com'. In a single run, the script will generate the local certificate, authenticate to Microsoft Graph via a device-code flow, create the Entra ID app registration if it doesn’t exist, upload the certificate, grant Exchange.ManageAsApp and Application.Read.All with admin consent, create the matching service principal, sign you into Exchange Online to add the app to the Organization Management role group, and save the tenant, app ID, and certificate thumbprint to a JSON profile file so future connections don’t need any of those parameters.

That’s a job that normally takes twenty minutes of clicking, copying GUIDs, and second-guessing whether the right role got assigned. The script does it in about ninety seconds.

Getting Started

If you’re new to certificate auth, the first run is the one that matters. Drop the script onto an admin machine, open PowerShell, and run:

.\o365-connect-exo-cert.ps1 -GenerateLocalCertificate -ProvisionEntraApp -Tenant 'yourtenant.onmicrosoft.com'

You’ll be prompted to sign in twice — once via device code for the Graph permissions (which if you use the –copydevicecodetoclipboard, option will put the required device code straight into the clipboard to paste into the request), then again with Connect-ExchangeOnline so the script can add the app to the role group. Both need a Global Admin account. After that, every future run is just:

.\o365-connect-exo-cert.ps1 -UseCertificateAuth -Tenant 'yourtenant.onmicrosoft.com'

No prompts. No browser. The script reads the tenant, app ID, and thumbprint from o365-exo-cert-auth.json (saved to parent directory), finds the certificate in your local store, builds a signed JWT, and you’re in. One caveat worth flagging: when you’ve just provisioned a brand-new app, give it fifteen to thirty minutes for role assignments to replicate before you try to connect. The script warns about this in its output, but it’s the single most common reason a fresh setup looks broken when it isn’t.

If you’re managing more than one tenant, the profile file is where this really earns its keep. Each provisioning run appends or updates an entry, so you can ask for a connection by -ProfileName, -Tenant, or -Organization and the script picks the right credentials. When several profiles match, it lists them and lets you choose.

Why Certificates Beat Passwords

The security argument is the easy one. A certificate’s private key never leaves the machine that generated it. Nothing crosses the wire that an attacker could intercept and replay. There’s no shared secret to rotate across a team, no admin password sitting in a vault that someone might extract, and no MFA bypass to engineer because the flow doesn’t involve a user account at all.

Permissions are scoped too. The app holds only Exchange.ManageAsApp and read-only access to application metadata. If the certificate is ever compromised, you remove the key credential from the app registration and the access is gone — no password reset required, no impact on any human admin account.

The script enforces TLS 1.2, refuses to assign RBAC if the EXO session has landed in the wrong tenant, warns when the certificate is within thirty days of expiry, and keeps the device-code value off the clipboard by default to avoid leaks on RDP or shared sessions. Small things, but they add up.

Why It’s a Win for Automation

Certificate auth is what makes unattended Exchange Online work actually unattended. A scheduled task running at 2 a.m. doesn’t have a human to click “Approve” on an MFA prompt. With this approach, you point Task Scheduler at the script with -noprompt, pass the tenant, and walk away.

For an MSP, that becomes a per-tenant capability rather than a per-admin one. One profile file, one shared script, separate certificates per tenant or per admin machine — and now mailbox audits, distribution group cleanup, shared mailbox provisioning, and any of the other recurring chores you keep meaning to automate can run on a timer instead of waiting for a quiet Friday afternoon. Pair it with a Power Automate flow or a daily Copilot summary in Teams, and you’ve got reporting that lands in front of the right people without anyone signing in.

Where I’d Take It Next

If you’ve never moved off interactive sign-in for Exchange Online, this is the path I’d take. Spend half an hour standing it up against a test tenant. Get comfortable with the profile file. Then start moving your scheduled work over, one job at a time. The shift from “who’s signing in?” to “which certificate is presenting itself?” is a quiet one, but once your automation stops breaking every time an admin’s MFA settings change, you won’t go back.