Announcing the CIAOPS Power Automate online course


I have just released my new Introduction to Power Automate course which you can find here:

The course is designed to give you a kick start into the world of automation with Microsoft 365. You’ll learn what Power Automate and Flows are including how to create the different types as well as use connectors to work with data from a variety of sources.

Inside you’ll find a variety of resources including video tutorials, web references, quizzes, examples and more. Upon completion, you will have the confidence to start automating many processes in your business.

Once you get started with Power Automate you’ll be amazed at how much time you’ll save, all using the tools that come with Microsoft 365.

Start here. Start today. And get more time in your day.

Device actions during an incident

Much of the protection with Microsoft Defender for Endpoint is taken care of for you automatically, but let’s say you want to conduct an investigation/remediation process manually. How would you achieve this?


Step 1

Login to the Microsoft 365 Security admin portal with the appropriate permissions. Select Devices from the Assets menu on the left.

You should see a list of the devices that Defender for Endpoint knows about. Select the machine in question to display it’s detailed information as shown above.

In the top right of this dialog on the right you will see an ellipse (three dots). Select these three dots to reveal an actions menu.

Step 2

Now you need to decide how aggressive you want to be during this investigation as that will have a direct impact on the end users experience on the device.

Level 1


The most aggressive option, that will have the greatest impact on the user is select the Isolate Device from the menu as shown above.


On the dialog that appears, enter a comment and select the Confirm button. Don’t select the option to Allow Outlook, Teams and Skype for Business while device is isolated.

This device isolation feature disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, which continues to monitor the device. This allow you to initiate a live response session. It also prevents an attacker from accessing the device remotely.

More information – Microsoft Defender for Endpoint device isolation

More information – Defender for Endpoint device execution restrictions

Level 2

This is less impactful to the end user and similar to the previous step.


Select the Isolate Device from the menu as shown above.


Here, select the option to Allow Outlook, Teams and Skype for Business while device is isolated.

Enter a comment and select the Confirm button.

This device isolation feature disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, which continues to monitor the device. This allow you to initiate a live response session, while preventing an attacker gaining remote access. It will also allow the end user to continue using Outlook, Teams and Skype for Business while you conduct the investigation. However, it does not permit connection to anywhere else, including the Internet.

More information – Microsoft Defender for Endpoint device isolation

More information – Defender for Endpoint device execution restrictions

Level 3


From the menu select Restrict App Execution as shown above.

This applies a code integrity policy remotely that only allows files to run if they are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised devices and performing further malicious activities. Thus, Office applications (Word, Excel, Outlook, etc), Edge browser, etc can now run without restriction. However, non Microsoft signed applications can’t.

Typically, a malicious program on the device can now not execute however the user can still continue to work inside certified Microsoft applications.


Enter a comment and select the Confirm button to complete the restriction process.

More information – Microsoft defender for Endpoint Restrict app execution

More information – Defender for Endpoint device execution restrictions

Step 3


The device will display a notification like that shown above.

Step 4

You can now take whatever actions you need to complete the investigation ready for return to service

Step 5

Remove any restrictions. To do, all you need to do to achieve this is return to the ellipse menu and select option to remove the restriction.

Here that would be Remove app restriction as shown above.

You’ll again simply need to add comment and select the Confirm button to remove the restriction.

So, that’s how you can intervene manually with security incidents if you need to at different impact levels for end users.

Power Automate Email Arrive action file size only 4 bytes


If you create a Power Automate with a trigger of When a new email arrives (V3) and you want to work with attachments in your Flow, ensure you select the Show advanced options as shown above.


If you don’t you’ll end up with saved attachments of only 4 bytes in size as shown above as by default the action doesn’t include attachments.


To work with attachments in your Flow, ensure the Include Attachments option is set to Yes as shown above. Then you’ll be able to do things like save the whole attachment to OneDrive for Business.

Subscribing a Sparkfun ThingPlus ESP32-S2 WROOM to Adafruit IO

I have now been able to successfully publish temperature data from a ESP32-S2 device to Adafruit IO as I detailed here:

The next thing I want to achieve is to ‘push’ data down to the device from the Adafruit IO web site.

The starting point for this is to create a new feed in Adafruit IO. You’ll find how to do that here:

To inject data into this feed I’ll need to create a Dashboard in Adafruit IO. You can find out about doing that here:

In my case, I’ll add an ON/OFF button to the dashboard and connect that button to the feed I just created.


This will basically inject the text values ON and OFF into the feed, which I’ll then read on my device and take action.

The code looks similar to last time but now:

Adafruit_MQTT_Subscribe onoffbutton = Adafruit_MQTT_Subscribe(&mqtt, AIO_USERNAME “/feeds/onoffbutton”);

You’ll see that I define a variable using the Subscribe method.

while (subscription = mqtt.readSubscription(2000)) {

Serial.println(F(“Received button data”));

if (subscription == &onoffbutton) {

Serial.print(F(“Got: “));

String ledstatus = (char *)onoffbutton.lastread;

The core of the program on the device is the statement starting above that reads from the feed, and if contains a value, it then takes an action. In this case, I look for the text ON or OFF in the feed and then take the appropriate action with the inbuilt LED on the device.

The result looks like:


You’ll find the code at:

So using Adafruit IO I’ve able to pretty easily send information to a dashboard and receive information from a dashboard. I now need to have a look at sending data from Azure to the device but I’m in no rush to do that just yet as I figure it will take a bit of work. I think my next project will trying to use the device to control some motors and add ‘motion’ to my project.

Stay tuned for more.

CIAOPS Need to Know Microsoft 365 Webinar – June


Join me for the free monthly CIAOPS Need to Know webinar. Along with all the Microsoft Cloud news we’ll be taking a look at SharePoint Lists.

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite.

You can register for the regular monthly webinar here:

June Webinar Registrations

(If you are having issues with the above link copy and paste –

The details are:

CIAOPS Need to Know Webinar – June 2023
Friday 30th of June 2023
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

or purchase them individually at:

Also feel free at any stage to email me directly via with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Connecting a Sparkfun ThingPlus ESP32-S2 WROOM to Adafruit IO

After my previous success getting data into Azure IoT Central I now wanted a way to send data the other way. That is to the device from the cloud. However, I could see this being a challenge if I continued to use Azure as my cloud endpoint. What I really needed was something simpler to help me better understand the core communication concepts.

With this in mind I discovered:

that is much easier to use to do the basic stuff I wanted.

I therefore went to Adafruit IO and created a free account. This will then give you access to:

I then needed to create a ‘Feed’ into which the data from my device would be sent so that it could then appear in the Adafruit IO console. You can follow these instructions to create a ‘Feed’:


To get the credentials you’ll need to connect to the feed you just created you’ll need to select the ‘key’ icon in the top right of the window as shown above to reveal the details.


You should see a dialog like that shown above with your Active key. It is also handy to grab the sample code displayed below.

You’ll need the following headers/libraries in your code:

#include <Arduino.h>
#include <WiFi.h>
#include <Adafruit_MQTT.h>
#include <Adafruit_MQTT_Client.h>

you’ll also need to define a few things:

#define AIO_SERVER “”
#define AIO_SERVERPORT 1883
#define AIO_USERNAME “<Adafruit IO user name>
#define AIO_KEY “<Your Active key>
#define WLAN_SSID “<Your WiFi name>
#define WLAN_PASS “<Your Wifi password>

You’ll need to enter your own values for the last few to suit your own environment.

Next, you need to connect to the feed you created using:

// Setup the MQTT client class by passing in the WiFi client and MQTT server and login details.


Adafruit_MQTT_Publish feed= Adafruit_MQTT_Publish(&mqtt, AIO_USERNAME “/feeds/<Your feed name>”);

The feed variable here is where you will ‘publish’ data to be sent to the Adafruit IO console. The main loop running on the device will then contain something like this:

if (!feed.publish(ciaaht_getTemp())) {
else {

which in essence, publishes data to the feed you created. In my case, I’m feeding in temperatures data via the function ciaaht_getTemp() which get the temperature from the DHT20.

There is a little bit more to it than that, but all the code is here:

including the custom temperature sensor functions code I created previously.


With the code now uploaded to the ESP-32 I was able to see the data appearing in my feed in Adafruit IO as shown above. You’ll also see in my code that I used the on board LED as kind of indicator to let me know if things were working. A visual debugger if you like.

As you can see, getting data into Adafruit IO is much, much easier than into Azure IoT Central and I understand why that is and I’d suggest people start with Adafruit IO before moving to Azure. There is far less code with Adafruit IO making far easier to debug and understand.

With this now working and displaying temperature from my sensor, it is time to try and now send data to the device to control it from the cloud. Look out for that update coming soon!

Need to Know podcast–Episode 303

Join me for all the news an updates from Microsoft Build as well as a look at the Microsoft Package Manager, Winget.

This episode was recorded using Microsoft Teams and produced with Camtasia 2023.

You can listen directly to this episode at:

Subscribe via iTunes at:

The podcast is also available on Stitcher at:

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show

Brought to you by



Join my shared channel

CIAOPS merch store

Become a CIAOPS Patron


YouTube edition of this podcast

Microsoft Build

Microsoft Build Book of News

Expanding IT value in Windows 11 Enterprise and Intune

Windows 365 boot

Announcing new Windows 11 innovation, with features for secure, efficient IT management and intuitive user experience

Microsoft Mesh: Transforming how people come together in the modern workplace

Bringing the power of AI to Windows 11 – unlocking a new era of productivity for customers and developers with Windows Copilot and Dev Home

Hardening Windows Clients with Microsoft Intune and Defender for Endpoint

Cyber Signals: Shifting tactics fuel surge in business email compromise

Automatically disrupt adversary-in-the-middle (AiTM) attacks with XDR

Use the winget tool to install and manage applications