Defender for Identity: the sensor you’ve been avoiding just got easy

Most of us treat the domain controller like furniture. It’s been in the corner for fifteen years, it works, and nobody wants to touch it.

But that DC sees everything. Every logon. Every Kerberos ticket. Every “let me just check if this service account still works” at 2am from a machine that has no business asking.

You’re sitting on the single richest source of attack signal in the whole environment, and most small-business tenants aren’t reading a word of it.

That’s not a tooling gap. That’s a switch nobody flipped.

And I get why. For years, turning on Microsoft Defender for Identity meant a download, an installer on every DC, a group managed service account, audit GPOs, and a packet-capture driver. Real work. So it sat on the “later” pile.

Later just arrived. The new sensor changes the maths completely.

What is the Defender for Identity sensor, really?

Forget the marketing. Defender for Identity is a sensor that lives on your domain controllers and watches the authentication traffic they already handle.

It’s looking for the things your antivirus will never see — lateral movement, Kerberoasting, DCSync, someone quietly enumerating your admins. The DC is the witness. The sensor just takes its statement.

Here’s what changed. The version 3 sensor — the “unified” one that went generally available late last year — doesn’t ship as its own agent anymore. It rides inside Defender for Endpoint. If Defender for Endpoint is already onboarded on your DC, the identity sensor is a few clicks in the portal. No installer. No service account. No Npcap.

One caveat before you get excited, and it’s the one MSPs trip on: this isn’t in Business Premium. You need Microsoft 365 E5, E5 Security, EMS E5, or the standalone Defender for Identity licence. Check the SKU before you promise a client anything.

Step-by-Step: turning the sensor on

Assuming Defender for Endpoint is already running on a Windows Server 2019-or-later DC that’s kept current on updates, here’s the path. Everything happens in the Microsoft Defender portal — no remoting onto the box.

Open the activation surface

Go to security.microsoft.com, then Settings > Identities. First time in, it provisions your workspace in a few seconds.

Activate the sensor

Open the Sensors (or Activation) page. Every DC that’s already onboarded to Defender for Endpoint and meets the bar shows up as eligible. Tick it, activate, done. No download, no reboot, no downtime on the DC.

Defender portal → Settings → Identities → Sensors
  [x] DC01  (eligible — Defender for Endpoint onboarded)  → Activate
  [x] DC02  (eligible — Defender for Endpoint onboarded)  → Activate

Notice what’s missing? No installer to copy. No service account to create and babysit. No access key pasted into a setup wizard. If you’ve done this the old way, that absence is the whole story.

Mind the stragglers

Version 3 only covers domain controllers on Server 2019 and later. Got an old 2016 DC, or a standalone AD FS, AD CS, or Entra Connect box? Those still need the classic v2 sensor with its installer. Mixed estates are fine — both versions report to the same workspace.

Set a honeytoken

This is the cheap win everyone skips. Under Settings > Identities > Entity tags > Honeytoken, tag a dormant account as a honeytoken. Give it a tasty name — svc-backup-admin, sql_sa_old — and never use it. Because nothing legitimate ever touches it, any authentication against it is, by definition, someone poking where they shouldn’t. High signal, almost no noise.

Why this actually changes behaviour

The sensor needs time to learn what normal looks like — figure on a few weeks per DC before the behavioural alerts settle. Don’t treat every early alert as gospel. Watch, tune, then trust.

“So I just switch it on and start blocking?”

No. You switch it on and start watching. Audit before you trust. The honeytoken is the exception — that one’s high-confidence from minute one.

Here’s the real win, and it’s a business one. Identity attacks don’t announce themselves on the endpoint. They look like a valid logon, because they are one — with stolen credentials. The DC is the one place that sees the pattern. Turn the sensor on and you’ve gone from “we’d never know” to “we’d get paged.”

For an MSP, that’s a renewal conversation, not a checkbox. “We’re watching your domain controllers for credential attacks” is something a client understands and pays for.

Defender for Identity isn’t there to add another console to your morning. It’s there so the most important server in the building finally has someone listening.

You’ve already got the witness. Go take the statement.

The SMB MSP As We Know It Won’t See 2030

I had a conversation recently with an MSP owner who’s been running the same shape of business for nearly twenty years. Same monthly recurring revenue model, same per-seat pricing, same mix of patching, monitoring, helpdesk, and the occasional project. He asked me what I thought the next five years looked like for him. I told him honestly. The business he runs today won’t exist by 2030. Not because he’ll do anything wrong, but because the market won’t need it anymore.

I’ve been saying versions of this quietly for a while. I think it’s time to say it out loud. The SMB MSP businesses of today — the ones built on managing endpoints, watching dashboards, resetting passwords, and pushing patches — are walking into a wall. The wall is closer than most of them realise.

The work that paid the bills is being automated away

Pick any traditional MSP price book and look at where the labour hours actually go. Patching. Monitoring. Tier 1 helpdesk. Onboarding and offboarding. Backup checks. Mailbox issues. OneDrive sync problems. Printer queues. The same dozen tickets, repeated across hundreds of clients, every week.

Almost none of that work needs a human anymore. Intune does the patching. Microsoft 365 does the self-healing. Defender does the watching. Entra automates the onboarding once it’s wired up properly. And Copilot — sitting inside Outlook, Teams, and the admin centres — answers the questions that used to be a phone call to the helpdesk. A user asking “why can’t I see this shared mailbox?” used to be a fifteen-minute ticket. Now it’s a Copilot prompt and a self-service result.

The MSP owner who thinks AI is “still a few years away” is the same one who told me cloud was a fad in 2014. The labour arbitrage that built the MSP industry — paying a junior tech in one city to fix something for a client in another — only works when the labour is needed. It mostly isn’t.

Microsoft is quietly eating the stack

The other story most MSPs aren’t telling themselves honestly is what’s happening to their tool chain. The classic SMB MSP stitched together five or six separate products to deliver a managed service — RMM, PSA, backup, antivirus, email security, password manager, MFA. The margin was in the stitching, not in any individual product.

Microsoft 365, with Defender, Intune, Entra, Purview, and Copilot layered on top, now covers most of that surface natively. It’s not perfect and it’s not cheaper, but it’s good enough for the SMB segment — and it’s getting better every quarter. When the platform a client already pays for can deliver eighty per cent of what the MSP used to charge for, the conversation about the other twenty per cent gets uncomfortable fast.

I watched an SMB owner last month ask Copilot in the Microsoft 365 admin centre to summarise her security posture, suggest fixes, and draft a message to her staff about a new MFA requirement. Three things her MSP would have charged her for, done in under a minute, without leaving the browser. She didn’t call her MSP afterwards. She just got on with her day. That’s the shift.

Buyers stopped wanting “managed IT”

There’s a generational change in SMB buyers that the industry is underestimating. The people running small businesses now grew up on consumer software that just works. They don’t want a relationship with a company that “manages their IT”. They want outcomes — their email working, their files safe, their staff productive — and they expect those outcomes to be invisible.

When the outcome can be delivered by a platform plus an AI assistant, the MSP isn’t a partner anymore. It’s a middleman. And middlemen who can’t articulate the unique value they add get squeezed out, every single time, in every industry where this pattern has played out before. Travel agents. Stockbrokers. Bookkeepers doing data entry. The MSP delivering commodity managed services is next.

The margins are already gone

Talk to any honest MSP owner about their margins over the last three years and you’ll hear the same story. Costs up. Prices flat or barely moving. Clients pushing back on increases. Staff harder to find, more expensive to keep, and asking for the kind of work that doesn’t exist in a commodity managed service anymore.

The economics don’t recover. They get worse. Because the AI tooling that’s eating the work is also reducing the cost of delivery for the few players who lean into it — meaning the price floor keeps dropping. An MSP charging eighty dollars a seat for traditional managed services is competing against a competitor charging forty, who has automated most of the same work, who is competing against a Microsoft partner bundling Copilot at a price point that makes the conversation moot.

What survives

I’m not saying every MSP is gone by 2030. I’m saying the shape most of them have today is gone. What survives is something different. Advisory businesses that help SMBs use Copilot well. Specialists who can wire up Power Automate flows that actually move the needle for a client. Security-led practices that go deep instead of wide. Firms that have stopped selling time and started selling outcomes.

Those businesses look almost nothing like the typical SMB MSP of 2025. Different revenue model, different staff mix, different conversations with clients. The ones quietly making that turn now will be fine. The ones still arguing about whether AI is overhyped will not.

I’d rather have the uncomfortable conversation in 2026 than the unavoidable one in 2029. If you run an MSP, the next eighteen months are when the work gets done — or doesn’t.

The task app you already bought four times

Open most small businesses and you’ll find the same thing. Someone’s running their personal to-dos in To Do. The team’s tracking a project on a Planner board. A manager’s got a Trello tab open. And somebody just expensed a Monday.com seat.

Four tools. One job. Nobody can see the whole picture.

Here’s what most people missed. Microsoft quietly folded To Do, the old Planner, Tasks in Teams and Project for the web into a single app — and just called it Planner. One place. No new licence.

That’s not a rebrand. That’s four subscriptions your clients can stop paying for.

And if they’re on a Microsoft 365 Business plan, they already own it.

What is the new Planner, really?

Think of it as one task list that finally spans the messy middle between “remind me to call the accountant” and “ship the office move by March”.

At the bottom sits your personal stuff — the same tasks that used to live in To Do, now showing up under My Tasks and My Day. In the middle are shared plans your team works from together. At the top, if you ever need it, full project scheduling with timelines and dependencies.

Same app. You just go as deep as the job needs.

Here’s the real win for an SMB. The thing you were about to buy Asana for? It’s the middle tier, and it’s already switched on.

Step-by-Step: putting tasks where the work happens

The mistake is opening Planner as its own app and treating it like another silo. Don’t. Put it where the team already talks.

Find the app

In Microsoft Teams, click Apps on the left rail, search for Planner, and add it. Until April 2024 this was the clunkily-named “Tasks by Planner and To Do” — same app, now just Planner. You’ll also find it on the web at planner.cloud.microsoft if you want it in its own tab.

Pin it to a channel

This is the step that changes everything. Open the channel where the team already works — say your client’s Marketing channel — click the + at the top, and add a Planner tab.

Now the plan lives inside the conversation. No app-switching. No “where’s that board again”. The tasks sit right next to the chat about them.

Build the plan

Create a plan, add a few buckets — To Do, Doing, Done works fine — and start dropping in tasks. Assign people, set due dates, done.

Know which tier you’re on

This is where people get nervous about cost. They shouldn’t. Here’s the line:

Included with Microsoft 365:  Grid, Board, Schedule, Charts
Needs a paid Planner plan:    Timeline, People, Goals, dependencies, sprints

Notice what’s missing? There’s no licence to buy for the everyday stuff. Boards, grids, a schedule view and basic charts are all in the box. You only pay if a client genuinely needs Gantt charts and dependencies — and most never will. The admin documentation spells out exactly what sits where.

Why this actually changes behaviour

“Which app has the project in it again?”

When that question disappears, something shifts.

Tasks stop being scattered across four tools and start living in one place the team already opens fifty times a day. Your personal to-dos, your team’s plans, even your old Project schedules — one pane.

For an MSP, this is a quietly brilliant client conversation. You’re not selling anything new. You’re showing them they’ve been paying a third party for something Microsoft already bundles. That builds trust faster than any upsell ever will.

And the migration worry? There isn’t much of one. Your old Planner boards are already there. To Do items flow in on their own. Project for the web has been retired straight into Planner. You’re not moving anything — it already moved.

If you’re rolling out Microsoft 365 and you’re not showing clients this, you’re leaving them to pay for Trello out of habit.

The new Planner isn’t there to give your clients another task app. It’s there to let them close the other three.

The Difference Between a Direction and a Walk

I’ve been watching people coach lately. Mine and other people’s. Inside teams, on calls, in coaching sessions, in the small handovers that happen between desks. And the same pattern keeps surfacing, in versions large and small.

We give directions. We rarely take the walk.

A direction is the polite, efficient gesture — the link in chat, the screenshot with an arrow, the “have a look at this, it explains it well”. It assumes the person on the other end has the time, the focus, and the confidence to follow the trail to the end. Most of the time, they don’t. Most of the time, they were asking because the trail is exactly what they’ve been struggling with.

Taking the walk is different. It means putting down what you were doing, getting up out of your chair (literally or in the digital equivalent of it), and going with them. It is slower, it is less elegant, and it is the thing that almost always works.

Why this hits hardest with Copilot right now

The reason this is sitting on top of my mind is what I’m seeing inside Microsoft 365 rollouts. Copilot is now embedded across Outlook, Word, Excel, Teams, OneNote, Loop — every surface a knowledge worker touches. The interface is right there. The documentation is right there. The training videos are right there.

And the gap is still enormous.

That gap isn’t a documentation problem. It’s a companionship problem. People know Copilot is in their email. What they don’t know is what to type when they actually have to reply to a customer who is upset, or summarise a three-week Teams thread, or pull the relevant lines out of a contract sitting in SharePoint. They need a person beside them the first time. Not afterwards. Not in a wiki. The first time.

When you sit next to somebody — sharing a screen in Teams works just as well as sitting at the same desk — and you open Copilot in their inbox, in front of their actual unread emails, two things happen. First, the prompt becomes specific. Generic prompt libraries are useless; their prompt for their email at this moment is electric. Second, they see you make a mistake, refine it, try again, and get somewhere usable. That’s the part documentation never teaches.

The handover is part of the coaching

The other thing I’ve come to value is the handover. Coaching isn’t finished the moment somebody can do the thing once. It’s finished when they have somewhere to go the second time.

In Microsoft 365 that means leaving a trail the next person — or the same person on a different morning — can pick up. Pin the prompt you just shaped together into a Loop component the team can see. Drop a note in their Teams channel calling out what worked. Connect them with the colleague who is already three months ahead. The point is that the next time they reach for help, the path ahead is already lit.

What I’m trying to do less of

I’m catching myself in the act of pointing more often than I’d like to admit. The instinct to send the link is strong; it costs me nothing, it looks like I helped, and it gets the conversation off my plate.

But the version of me that other people actually need isn’t the one with the curated bookmarks. It’s the one prepared to push the chair back and say, fine, let’s go and look at it together.

That’s the coaching that compounds. Everything else is signage.

Copilot Cowork Just Hit GA — and CSP-Managed Tenants Are Hitting a Billing Wall

Why “Your organization is managed by your solution provider” appears, why the customer’s own Azure subscription won’t save you, and the exact partner-side fix.

The symptom

Here’s a scenario that is going to land on a lot of MSP desks over the coming weeks. You have a client who has been happily using Microsoft 365 Copilot Cowork while it was in preview. They love it. They want to roll it out to more people. Then Cowork moves into General Availability, and suddenly they can’t add any new users to it. When they go digging in the Microsoft 365 admin centre, into the Copilot section to sort out billing, they are met with this brick wall:

The exact message

“Your organization is managed by your solution provider. Copilot credit setup for organizations managed by a solution provider must be set up by your provider. Contact your provider to enable consumption-based AI services for your organization.” The kicker is that this particular client already has a perfectly good pay-as-you-go Azure subscription sitting in their tenant. So the natural reaction is: I have an Azure subscription, I have billing, why is Microsoft telling me to phone a friend? The short version is that this is not a bug, it is not a permissions problem, and it is not something the client can click their way out of. It is a commerce-channel issue, and the resolution lives with whoever holds the CSP relationship — which, for most of us reading this, means it lives with us.

What actually changed at GA

When Cowork was in preview, the gloves were off — people could use it without the full commercial billing plumbing being in place. At GA, Microsoft moved Cowork behind what they call usage-based billing, powered by Copilot Credits. This is the same consumption model that sits alongside fixed per-user Copilot licensing. Worth noting precisely: as it stands today, this usage-based billing method only applies to Copilot Cowork and the Work IQ API — it is not the whole Copilot estate. Microsoft has said more agents and services will be folded into this model over time, but right now Cowork is the headline reason an MSP will trip over this.

How the new billing model is wired up

Usage-based billing is managed from a new node in the Microsoft 365 admin centre: Copilot, then Cost Management. That is where an admin activates a default spending policy, sets monthly and per-user spending limits, configures alert thresholds, and — critically — chooses a billing method. The billing method is an Azure subscription. Copilot Credits are drawn against that subscription on a pay-as-you-go basis (with optional pre-purchase plans layered on top for discounting, but ignore that for now). So the whole thing hinges on one question: which Azure subscription is allowed to be the billing method? And that is exactly where a CSP-managed tenant comes unstuck.

Why the client’s existing Azure subscription doesn’t help

This is the bit that catches people out, so it is worth being precise. The client genuinely has an Azure subscription. But the Copilot Cost Management setup, in a CSP-managed tenant, will not let them attach it — because that subscription is almost certainly on the wrong commerce channel. When a tenant is managed under the Cloud Solution Provider program, Microsoft routes all consumption commerce — Azure, marketplace, and now these AI services — through the partner’s Microsoft Partner Agreement billing account. A subscription the customer signed up for directly (a credit-card MOSP or direct Microsoft Customer Agreement Azure sub) is a completely separate billing relationship that the partner does not own. The commerce platform sees the tenant flag that says “this org is CSP-managed”, looks for a billing source on the partner channel, doesn’t find one, and throws up the “managed by your solution provider” gate. The presence of some other Azure subscription in the tenant is irrelevant to that check.

The mental model: who owns the commerce channel

If you keep one diagram in your head, make it this one. A CSP-managed customer’s consumption billing has to originate from an Azure plan that the partner provisions under their Microsoft Partner Agreement. The Azure plan gives the customer access to Azure services at pay-as-you-go rates under a Microsoft Customer Agreement, and the resulting Azure subscription lives in the customer tenant but invoices back to the partner. That partner-channel subscription is the only thing the Copilot Cost Management billing-method picker will accept for a CSP tenant. Here is how the three channels compare:

– Billing channel
– Who owns it
– Works as Cowork billing method in a CSP tenant?

Direct / MOSP Azure (customer’s own credit card)
The customer
No — wrong channel, not visible to the CSP gate

Direct Microsoft Customer Agreement (Azure direct)
The customer
No — tenant is flagged CSP-managed, so this is bypassed

Azure plan under Microsoft Partner Agreement (CSP)
The partner (you)
Yes — this is the channel the gate is looking for

The fix, step by step (partner side)

Assuming you are the CSP for this client, the resolution is to provision an Azure plan and an Azure subscription for them through the partner channel, then point Copilot Cost Management at it. Work through these in order:

Confirm the Microsoft Customer Agreement is accepted. In Partner Center, open Customers, select the customer, and check the Microsoft Customer Agreement status on their Account page. You cannot purchase an Azure plan until the MCA is in place — invite them to sign it directly with Microsoft if it isn’t.
Purchase the Azure plan. In Partner Center, with the customer selected, choose Add products, set Segment to Commercial, find Azure plan, add to cart, Review and Buy. If the customer already has an active Azure plan, skip to the next step.
Create an Azure subscription under that Azure plan. Sign in to the Azure portal with your Partner Center (Admin agent) credentials, making sure you are in your partner directory, not the customer’s. Go to Cost Management + Billing, pick the billing scope for the account where the customer sits, open Customers, select the customer, then All billing subscriptions, and choose Add. Pick a Usage based / Azure subscription with the plan set to Microsoft Azure Plan, then Review and create.
Lean on AOBO for the Azure rights. Subscriptions you create through CSP grant Admin-on-Behalf-of, which gives any Admin agent in your partner tenant Owner rights on that subscription automatically. That satisfies the setup wizard’s requirement for Owner or Contributor on the Azure subscription and resource group — no extra role assignment needed.
Configure usage-based billing in the customer’s M365 admin centre. Go to Copilot, then Cost Management, and select Get Started. In the Billing method section choose the new CSP Azure subscription. Set a sensible monthly spending limit, a per-user spending limit, and alert recipients and thresholds, then Activate. The Cowork block clears and you can add users again.

Prerequisites worth double-checking before you start

Setup will fail at the last hurdle if any of these are missing, so confirm them up front:

On the Microsoft 365 side, the person running the Cost Management setup needs Global administrator or Billing administrator. AI administrator and License administrator can create spending policies and manage limits, but they cannot set or change the billing method.
The tenant must have at least one SharePoint licence, or a licence that includes SharePoint. This is a real prerequisite for the Copilot billing node, and easy to overlook on a lean tenant.
You need Owner or Contributor on both the Azure subscription and a resource group in it. Via CSP and AOBO this is automatic, but if you have deliberately stripped AOBO and are using Lighthouse or directory accounts instead, make sure the identity doing the setup actually has those rights.
An Azure resource group must exist in the subscription — the wizard can create one for you during setup if needed.

Direct CSP vs indirect reseller — know which one you are

There is an important fork here. If you are a direct-bill CSP partner, you hold the Microsoft Partner Agreement billing account yourself and you run every step above in your own Partner Center. If you are an indirect reseller sitting underneath a distributor or indirect provider, you do not own that billing account — the Azure plan purchase is initiated through your indirect provider’s flow, not your own Partner Center billing scope. In that case you coordinate with your distributor to get the Azure plan provisioned, and then you can still handle the Azure subscription creation and the customer-side Cost Management configuration. And if it turns out a completely different provider holds the CSP relationship for this client, then none of this is yours to fix directly — that provider has to provision the Azure plan, or the CSP relationship needs to be transferred to you first.

Gotchas and things I’d watch

A few practical landmines that are easy to step on with this new model:

Budgets notify, they don’t stop. A budget on a billing policy triggers email alerts at the thresholds you set, but by default it does not enforce a hard cap or interrupt service. If you want a genuine ceiling, use the monthly spending limit and per-user limits in the Cost Management spending policy, which can actually cut access when hit.
Set a per-user limit on day one. The whole point of consumption billing is that a single enthusiastic user can run up real spend. The per-user monthly limit is optional in the wizard, but for an MSP managing someone else’s bill, treat it as mandatory.
Region selection is sticky. When you create the billing policy you choose a region that determines where tenant ID and usage data are stored, and you cannot edit the subscription or resource group tied to a policy afterwards. Get it right the first time.
Turning pay-as-you-go off is not instant. Disconnecting a service from a billing policy can take up to two hours to actually stop users, so don’t panic if access lingers briefly after you flip it off.
Pre-purchase plans layer on top, they are not an either/or. If cost predictability matters, a Copilot Credit pre-purchase plan gives discounted credits that are consumed first, with pay-as-you-go catching any overage. You don’t have to choose one or the other.

The takeaway

This is going to be a recurring support ticket. Cowork going GA is good news, but the GA billing model assumes the customer can attach their own Azure subscription — and for CSP-managed tenants that assumption simply doesn’t hold, no matter how many Azure subscriptions are already sitting in the tenant. The fix is entirely on the partner side: provision an Azure plan and subscription through the CSP channel, then point Copilot Cost Management at it. If you manage Microsoft 365 customers through CSP and any of them are using Cowork, get ahead of this now, because the moment GA flips the billing requirement on, their ability to add users stops until you’ve done the plumbing. As always, plan it, test it on one tenant, and document the steps so your L1 team can repeat them.

The remote shell you already own and never switched on

A client rings. A machine’s behaving strangely — fake-looking PowerShell, a scheduled task nobody created, something. What do most of us do?

We RDP in. Or worse, we send someone onsite.

Here’s the thing. If that device is onboarded to Defender for Endpoint, you already have a remote command line sitting right there in the portal. You can be on the box, reading its running processes, in about thirty seconds. From your desk.

Most MSPs I talk to have never turned it on. For some it’s a checkbox they walked straight past during onboarding. For others — and this is the part that trips people up — it’s a licence they didn’t realise they’re missing. Either way, it’s a gap worth closing.

What is Live Response, really?

Live Response is a secure remote shell into any onboarded device, run entirely from the Defender portal. No RDP. No VPN. No jump box. No asking a panicked user to “click the thing I just emailed you”.

You open a session and you’re talking to the machine in real time. List processes, pull a suspicious file back to the portal for analysis, kill something, drop a registry change, or run a PowerShell script you’ve pre-loaded.

Think of it as the SSH session you always wished you had for your Windows fleet — except the audit trail writes itself and you never went near the network.

Here’s the real win. The thirty minutes you used to burn coordinating remote access to a maybe-compromised box just disappears. You’re simply there.

Step-by-step: getting on the box

This lives in Live Response in Defender for Endpoint, and it needs Defender for Endpoint Plan 2.

Now read this next bit carefully, because it’s where the assumption bites. Business Premium does not give you Plan 2. Business Premium includes Defender for Business — same great EDR detections, and the basic response actions you’d expect (isolate the device, run an antivirus scan, quarantine a file). But Live Response, the remote shell, is not in Defender for Business. It’s a Plan 2-only feature.

So before you promise a client “I’ll just hop on the box,” check what they’re actually licensed for. To get Live Response onto a Business Premium tenant you need either the Defender Suite for Business Premium add-on (around $10/user/month — which also lands you Defender for Office 365 P2, Entra ID P2 and more) or a standalone Defender for Endpoint Plan 2 licence.

And one last gotcha that catches people out: even after you assign the licences, the tenant defaults to the Defender for Business experience. You have to contact Microsoft Support and ask them to switch the tenant to the Plan 2 experience before the remote shell appears. It’s a one-time thing, but it’s a ticket, not a toggle.

None of this is a reason not to do it. It’s a reason to do it deliberately — a line item on the proposal and a switch request, not a feature your client already paid for and forgot about. Honestly, for a managed-security MSP that’s the easy version of this conversation: “for ten dollars a user I can be on any sick machine in thirty seconds” sells itself.

Turn it on first

This is the step everyone misses. Even once you’re licensed, Live Response is off by default.

Go to the Microsoft Defender portal, then Settings > Endpoints > Advanced features. Flip Live Response on. If you want to push scripts to servers too, enable Live Response for Servers. Save. (Configure advanced features walks through every toggle on that page.)

There’s a second switch just below: Live Response unsigned script execution. Leave that off. I’ll come back to why.

Check who’s allowed

Live Response is gated by role. Read-only permissions can look but not touch. To actually run commands and push files, your technician group needs the right Defender permission assigned. Sort this before an incident, not during one.

Open a session

Find the device in the inventory, open its page, and click Initiate live response session. Give it a few seconds to connect, and you’ve got a prompt.

Build your library once

This is where it goes from handy to a service. From the session console — or the Library management page — you can upload PowerShell scripts and run them on demand with a single command (upload to the live response library). Write the scripts once, run them across every client tenant.

A triage runbook might look like this:

run Get-RunningProcesses.ps1
run Get-PersistenceItems.ps1
run Collect-EventLogs.ps1
getfile "C:\Users\Public\suspicious.exe"

Notice what’s missing? No RDP credentials. No copying scripts onto the box and hoping nobody double-clicks them. No “can you read me the error message”. You point at the device, run a vetted script, pull the evidence back. Same four commands, every tenant, every time.

Why this actually changes behaviour

“We don’t touch the machine until we know what we’re dealing with.”

That used to mean waiting. Now it means a thirty-second session and a script you wrote last month.

Here’s what shifts. Triage stops being a scheduling problem and becomes a muscle. Your L1 can open a session and run the runbook before escalating, which means your L3 gets a tidy evidence pack instead of a vague ticket. The work moves down a tier and your senior people stay doing senior work.

And that unsigned-scripts toggle I told you to leave off? That’s the discipline. If every script in your library is signed, a compromised technician account can’t quietly run arbitrary code across your clients’ fleets through your own tooling. Convenience that becomes an attack path isn’t convenience. Leave it off.

If you’re selling managed Defender and you’re still RDP-ing in to triage, you’re billing time for a problem Microsoft already solved for you — assuming you’ve licensed the fix.

Live Response isn’t there to make remote access faster. It’s there to make “let me get on the machine” a non-event.

Check which tenants are licensed, turn it on this week, and the next incident will thank you.

Can MSPs Actually Bill for Copilot Cowork?

I’ve been mulling over a question that doesn’t get asked enough, and I think it deserves a hard look: when Copilot Cowork lands with pay-as-you-go billing, do small and midsize MSPs actually have the skills to handle it? Not the product. The billing. Because from where I sit, that’s the part most of us are least prepared for.

For years, the SMB MSP model has run on something beautifully predictable: per-seat licensing. A client has thirty users, you sell thirty licences, you mark them up, and everyone knows what next month’s invoice looks like before it arrives. That predictability is the whole foundation. It’s what lets you quote a managed services agreement with a straight face. Consumption billing pulls that foundation out from under you.

We’ve Never Had to Read This Kind of Meter

PAYG is a different animal. Usage goes up and down. Costs follow. Suddenly you’re not selling a fixed thing, you’re selling access to a meter that ticks based on what people actually do inside Copilot. And here’s the uncomfortable truth — most of us have never had to read a meter like this before. We don’t have the muscle for it.

Think about the questions a client will ask the moment their first variable bill arrives. Why was it higher this month? Which users drove that? Was it worth it? If your answer is a shrug and a forwarded Microsoft invoice, you’ve got a problem. You need to pull the usage data, make sense of it, and explain it in plain English. That’s not a skill most SMB MSPs have built, because we’ve never needed it.

Configuring It Is the Easy Part

Turning Copilot Cowork on through the admin centre isn’t the hard bit. Microsoft will make that straightforward enough. The hard bit is everything that wraps around it — setting spending limits so a client doesn’t get a nasty surprise, deciding who gets access, and putting guardrails in place before usage runs away from you.

Then comes reporting, which is where I think the real gap shows. Can you stand in front of a client at the monthly meeting and show them, clearly, what they consumed and what they got for it? You’ll be living in the Microsoft 365 admin centre and the usage reports, and you may well end up pulling that data into Excel — perhaps asking Copilot itself to summarise the month’s consumption into something a business owner can read in thirty seconds. If you can’t produce that story, the client will assume the worst.

This Is a Discipline We Have to Learn

What worries me isn’t the technology. It’s that consumption billing is a genuine discipline, and it’s one the SMB MSP world has largely skipped. The cloud providers have been doing variable billing for years. Most of us serving small business have not. We’ve been comfortable in fixed-price land, and Cowork is going to ask us to grow up fast.

So I’d put the question back to you honestly. Could your business take on a client with Copilot Cowork tomorrow, configure it sensibly, manage the spend, and report on it with confidence? If there’s hesitation in that answer, you’re not behind — you’re normal. But the MSPs who close that gap early, who learn to read the meter and tell the story, are the ones who’ll own this conversation. The rest will be forwarding invoices and hoping nobody asks why.

Do an Audit of Who’s Actually In Your Corner

A few weeks ago I was on a long drive home from a client meeting and I started running through the names of people I’d actually spent real time with over the past year — not the LinkedIn list, the actual list. The ones who’d had my ear, my weekends, my energy and, in some cases, my best thinking. By the time I got home I realised something a bit uncomfortable. A handful of those names didn’t really belong on it anymore. Not because they’re bad people. Because they’re not pulling in the same direction I am.

That’s the part nobody likes to say out loud.

The question worth sitting with

There’s one question I think every business owner should ask themselves once a year, and it’s blunt: is the time I spend with this person making me sharper, or just making me comfortable?

Comfortable is the trap. Comfortable feels like loyalty, like history, like the easy lunch where nothing hard ever gets said. Growth tends to live somewhere else.

I’ve started using Copilot in Outlook to actually look at the data. I’ll ask it to pull together who I’ve met with most over the last three months and the answer is sometimes a surprise. The people I think I’m investing in and the people my calendar shows I’m investing in are not always the same list. Calendars don’t lie. They quietly show you where your time really goes, and once you’ve seen it laid out on a page you can’t unsee it.

Three filters I run people through

When I’m doing this stocktake, I look at three things, and I try not to overthink any of them.

The first is how I feel walking away from the conversation. If I leave a coffee buzzing with ideas and a list of things to try, that’s a signal. If I leave flat and quietly wanting a nap, that’s also a signal. The body keeps a fairly honest scoreboard, even when the head is trying to be polite about it.

The second is whether they’re actually moving. Movement doesn’t have to be loud — I know plenty of quiet operators who are building something serious. But if someone has been telling me the same story about the same plan for three years running, that stagnation will start to drag on you whether you notice it or not.

The third is whether they’ll tell me I’m wrong. The people who only ever agree with me have very little to offer me. The ones who push back, who ask the awkward question, who say “are you sure about that?” — those are the ones I keep close. Anyone who’s only ever told me what I wanted to hear has never once helped me improve.

The hardest cuts are the kindest people

The brutal part of this exercise isn’t the obvious ones. It’s the genuinely lovely humans who just don’t fit where you’re heading next. Lovely doesn’t equal useful. You can wish someone well, mean it completely, and still recognise that the season of regularly being in each other’s diaries has run its course. That’s not betrayal. That’s adulthood.

I keep a private Loop page with my thinking on this — a few names, a few notes, no judgement attached. Copilot helps me draft the reflection prompts when I’m not quite sure what I’m trying to articulate. It’s not a kill list. It’s a way of being deliberate about where my hours go next year, because nobody else is going to be deliberate about it for me.

If you’ve never done a Friendventory, do one this month. Block an hour in your calendar, pour something decent, and walk through the names honestly. The people in your corner shape the business you build next. Pick them on purpose, because by default you’ll just keep whoever was around when you started.