Before You Buy the Copilot Licence, Do This First

MAI_a705418914201c07

Everyone wants to know what Copilot can do. Almost nobody asks what Copilot will find.

That’s the question that actually matters. Copilot doesn’t create new access — it works entirely within your existing Microsoft 365 permissions. It can only surface what a user is already allowed to see.

Sounds safe. It’s not. Not if your SharePoint environment looks like most tenants I’ve walked through.

Sites shared with “Anyone with the link” since 2021. Files in folders with permissions no one’s reviewed in years. Ownerless sites stuffed with content nobody knows exists. When your finance manager asks Copilot to “summarise what we know about Project X,” it’ll pull from everything she can already access — including documents she’d have had to know to search for directly.

That’s not a Copilot problem. That’s the data governance problem you already had, just made visible.

My recommendation? Run the readiness assessment before you assign a single licence.

What is the Copilot Readiness Assessment, really?

Most people think readiness means “do you have the right licence and update channel.” The Copilot Readiness Report in the Microsoft 365 admin centre does tell you that — which users are technically eligible, which devices are on the right update channel, who your best pilot candidates are.

That’s the easy half.

The hard half is whether your data is in a state that Copilot should be let near. That check lives in a completely different place, and most readiness guides skip it entirely.

Notice what’s missing? Almost every “Copilot readiness checklist” you’ll find online focuses on licence eligibility. The data side is where the actual risk sits.

Step-by-Step: Running a Proper Readiness Check
Open the M365 Copilot Readiness Report

Go to the Microsoft 365 admin centre. In the left nav, select Reports > Usage, then choose Microsoft 365 Copilot and open the Copilot report. Click the Readiness tab.

You’ll see prerequisite licence counts, update channel eligibility, and a user table flagging suggested Copilot candidates. Export the list. It gives you a concrete starting point for a pilot conversation with your client.

Check for Oversharing in SharePoint

Open the SharePoint admin centre. Go to Reports > Data Access Governance. This is where you find the oversharing risk — sites with “Anyone” sharing links active, files broadly accessible across the tenant, high-member-count sites with no clear owner.

Work through the data access governance reports. Anything flagged here is content Copilot can reach on behalf of any user who has permission.

By default, SharePoint sharing is set to the most permissive option. Most tenants have never changed it.

Run the Content Management Assessment

Still in the SharePoint admin centre, go to Advanced Management > Content Management Assessment and select Start assessment. This surfaces inactive sites, ownerless sites, and sites that haven’t been attested by anyone recently.

SharePoint admin centre
  > Advanced Management
    > Content Management Assessment
      > Start assessment

Rerun it every 30 days. This isn’t a one-time exercise. It’s a recurring conversation starter with every client who has Copilot.

Review Your Sensitivity Labels

Open the Microsoft Purview compliance portal > Information protection > Labels. Check whether labels are deployed and whether content users will ask Copilot about is actually labelled.

Sensitivity labels travel with content. Copilot honours them at response time — it won’t surface content a user doesn’t have decrypt rights for. No labels means no enforceable control over what ends up in a Copilot response.

They’re not a Copilot feature. They’re the floor you build on.

Why This Actually Changes Behaviour

Here’s the real win.

Running this before you sell the licence gives you a different kind of client conversation. Not “here’s what Copilot can do” — but “here’s what your data looks like right now, and here’s what we need to fix before Copilot is safe to use.” That’s a trusted adviser conversation, not a licence upsell.

Microsoft’s Secure & Governed Data Foundation blueprint organises this into three pillars: remediate oversharing, set up guardrails, meet regulations. It’s worth reading before your next client review. Print it. Take it in.

If you’re not showing clients this work before you enable Copilot, you’re not protecting them — you’re just adding a powerful AI to a mess.

Copilot doesn’t create oversharing. It reveals it. Fix the foundation first, then turn on the power.

Treat Your Calendar Like a Scoreboard

image

Last Friday I sat down with my Outlook calendar open for the week ahead and felt that familiar drop in the stomach. Eighteen meetings. Two thirty-minute “quick syncs” stacked back to back. A coaching session I’d promised myself I’d run for a client. A “catch-up” with someone whose name I had to look up twice. And the actual deep work — the strategy piece I’d been telling everyone was my top priority for the quarter — nowhere to be seen.

That’s the moment it clicked properly. My calendar wasn’t a plan. It was a confession.

What the diary is really telling you

A diary is a record of where your attention actually goes, not where you wish it went. If the most important work of your year isn’t on it — blocked out, named, defended — then you haven’t really committed to it yet. You’ve just talked about it.

A lot of us treat our calendar like an inbox. Things land in it. People send invites, we accept, and the week fills up by default rather than by design. Then we wonder why the work that actually moves the business forward keeps slipping into Saturday morning.

There’s a simple test I run now. Open Outlook on a Sunday night. Look at the week ahead. Can you point to the block that represents the one thing you said matters most this quarter? If not, the rest of the week is just noise around an empty centre. And the empty centre is the bit you said mattered.

Run a weekly audit, not a weekly hope

Hope isn’t a strategy, and a calendar that fills itself isn’t one either. So I now sit down every Friday afternoon for fifteen minutes and review what I actually did against what I said I would do. Copilot in Outlook makes this surprisingly easy — I ask it to summarise where my time went, who I spent it with, and which blocks moved against my stated priorities. The answer is often uncomfortable.

Then I look at the week ahead and run every single block past one question. Is this taking me closer to the work I said matters, or further from it? If the honest answer is “further”, the meeting goes. I decline it, suggest an async update in Teams, or send a Loop component with the three things I would have said in the room. Nobody has yet complained that they got a clearer written summary instead of a half-attended meeting.

The ones that pass the test get something more important than a tick. They get protected. Title in bold, marked as busy, no overlay. I treat them with the same seriousness I’d give a paying client, because future me is the client.

The feedback loop most leaders skip

Here’s the bit that surprised me. Once I started running this rhythm, my calendar stopped being a source of guilt and started being a source of useful signal. It tells me, week by week, whether I’m actually serious about what I said matters. Or whether I’ve quietly traded it for the comfort of being responsive.

That’s the real value of reading the week before you live it. Mid-game, a scoreline tells you what to do next — push harder, change tactics, stop bleeding time on the wrong play. The diary does the same job, if you’ll let it. It doesn’t argue with you. It just shows you the score.

Copilot can draft the polite decline. Teams can absorb the conversation that didn’t need a meeting. Outlook can hold the block you’ve been avoiding. But none of that matters until you decide, every single week, what’s on the board and what’s just filler.

Defender for Identity: the sensor you’ve been avoiding just got easy

MAI_8e04c152a34c15b8

Most of us treat the domain controller like furniture. It’s been in the corner for fifteen years, it works, and nobody wants to touch it.

But that DC sees everything. Every logon. Every Kerberos ticket. Every “let me just check if this service account still works” at 2am from a machine that has no business asking.

You’re sitting on the single richest source of attack signal in the whole environment, and most small-business tenants aren’t reading a word of it.

That’s not a tooling gap. That’s a switch nobody flipped.

And I get why. For years, turning on Microsoft Defender for Identity meant a download, an installer on every DC, a group managed service account, audit GPOs, and a packet-capture driver. Real work. So it sat on the “later” pile.

Later just arrived. The new sensor changes the maths completely.

What is the Defender for Identity sensor, really?

Forget the marketing. Defender for Identity is a sensor that lives on your domain controllers and watches the authentication traffic they already handle.

It’s looking for the things your antivirus will never see — lateral movement, Kerberoasting, DCSync, someone quietly enumerating your admins. The DC is the witness. The sensor just takes its statement.

Here’s what changed. The version 3 sensor — the “unified” one that went generally available late last year — doesn’t ship as its own agent anymore. It rides inside Defender for Endpoint. If Defender for Endpoint is already onboarded on your DC, the identity sensor is a few clicks in the portal. No installer. No service account. No Npcap.

One caveat before you get excited, and it’s the one MSPs trip on: this isn’t in Business Premium. You need Microsoft 365 E5, E5 Security, EMS E5, or the standalone Defender for Identity licence. Check the SKU before you promise a client anything.

Step-by-Step: turning the sensor on

Assuming Defender for Endpoint is already running on a Windows Server 2019-or-later DC that’s kept current on updates, here’s the path. Everything happens in the Microsoft Defender portal — no remoting onto the box.

Open the activation surface

Go to security.microsoft.com, then Settings > Identities. First time in, it provisions your workspace in a few seconds.

Activate the sensor

Open the Sensors (or Activation) page. Every DC that’s already onboarded to Defender for Endpoint and meets the bar shows up as eligible. Tick it, activate, done. No download, no reboot, no downtime on the DC.

Defender portal → Settings → Identities → Sensors
  [x] DC01  (eligible — Defender for Endpoint onboarded)  → Activate
  [x] DC02  (eligible — Defender for Endpoint onboarded)  → Activate

Notice what’s missing? No installer to copy. No service account to create and babysit. No access key pasted into a setup wizard. If you’ve done this the old way, that absence is the whole story.

Mind the stragglers

Version 3 only covers domain controllers on Server 2019 and later. Got an old 2016 DC, or a standalone AD FS, AD CS, or Entra Connect box? Those still need the classic v2 sensor with its installer. Mixed estates are fine — both versions report to the same workspace.

Set a honeytoken

This is the cheap win everyone skips. Under Settings > Identities > Entity tags > Honeytoken, tag a dormant account as a honeytoken. Give it a tasty name — svc-backup-admin, sql_sa_old — and never use it. Because nothing legitimate ever touches it, any authentication against it is, by definition, someone poking where they shouldn’t. High signal, almost no noise.

Why this actually changes behaviour

The sensor needs time to learn what normal looks like — figure on a few weeks per DC before the behavioural alerts settle. Don’t treat every early alert as gospel. Watch, tune, then trust.

“So I just switch it on and start blocking?”

No. You switch it on and start watching. Audit before you trust. The honeytoken is the exception — that one’s high-confidence from minute one.

Here’s the real win, and it’s a business one. Identity attacks don’t announce themselves on the endpoint. They look like a valid logon, because they are one — with stolen credentials. The DC is the one place that sees the pattern. Turn the sensor on and you’ve gone from “we’d never know” to “we’d get paged.”

For an MSP, that’s a renewal conversation, not a checkbox. “We’re watching your domain controllers for credential attacks” is something a client understands and pays for.

Defender for Identity isn’t there to add another console to your morning. It’s there so the most important server in the building finally has someone listening.

You’ve already got the witness. Go take the statement.

The SMB MSP As We Know It Won’t See 2030

image

I had a conversation recently with an MSP owner who’s been running the same shape of business for nearly twenty years. Same monthly recurring revenue model, same per-seat pricing, same mix of patching, monitoring, helpdesk, and the occasional project. He asked me what I thought the next five years looked like for him. I told him honestly. The business he runs today won’t exist by 2030. Not because he’ll do anything wrong, but because the market won’t need it anymore.

I’ve been saying versions of this quietly for a while. I think it’s time to say it out loud. The SMB MSP businesses of today — the ones built on managing endpoints, watching dashboards, resetting passwords, and pushing patches — are walking into a wall. The wall is closer than most of them realise.

The work that paid the bills is being automated away

Pick any traditional MSP price book and look at where the labour hours actually go. Patching. Monitoring. Tier 1 helpdesk. Onboarding and offboarding. Backup checks. Mailbox issues. OneDrive sync problems. Printer queues. The same dozen tickets, repeated across hundreds of clients, every week.

Almost none of that work needs a human anymore. Intune does the patching. Microsoft 365 does the self-healing. Defender does the watching. Entra automates the onboarding once it’s wired up properly. And Copilot — sitting inside Outlook, Teams, and the admin centres — answers the questions that used to be a phone call to the helpdesk. A user asking “why can’t I see this shared mailbox?” used to be a fifteen-minute ticket. Now it’s a Copilot prompt and a self-service result.

The MSP owner who thinks AI is “still a few years away” is the same one who told me cloud was a fad in 2014. The labour arbitrage that built the MSP industry — paying a junior tech in one city to fix something for a client in another — only works when the labour is needed. It mostly isn’t.

Microsoft is quietly eating the stack

The other story most MSPs aren’t telling themselves honestly is what’s happening to their tool chain. The classic SMB MSP stitched together five or six separate products to deliver a managed service — RMM, PSA, backup, antivirus, email security, password manager, MFA. The margin was in the stitching, not in any individual product.

Microsoft 365, with Defender, Intune, Entra, Purview, and Copilot layered on top, now covers most of that surface natively. It’s not perfect and it’s not cheaper, but it’s good enough for the SMB segment — and it’s getting better every quarter. When the platform a client already pays for can deliver eighty per cent of what the MSP used to charge for, the conversation about the other twenty per cent gets uncomfortable fast.

I watched an SMB owner last month ask Copilot in the Microsoft 365 admin centre to summarise her security posture, suggest fixes, and draft a message to her staff about a new MFA requirement. Three things her MSP would have charged her for, done in under a minute, without leaving the browser. She didn’t call her MSP afterwards. She just got on with her day. That’s the shift.

Buyers stopped wanting “managed IT”

There’s a generational change in SMB buyers that the industry is underestimating. The people running small businesses now grew up on consumer software that just works. They don’t want a relationship with a company that “manages their IT”. They want outcomes — their email working, their files safe, their staff productive — and they expect those outcomes to be invisible.

When the outcome can be delivered by a platform plus an AI assistant, the MSP isn’t a partner anymore. It’s a middleman. And middlemen who can’t articulate the unique value they add get squeezed out, every single time, in every industry where this pattern has played out before. Travel agents. Stockbrokers. Bookkeepers doing data entry. The MSP delivering commodity managed services is next.

The margins are already gone

Talk to any honest MSP owner about their margins over the last three years and you’ll hear the same story. Costs up. Prices flat or barely moving. Clients pushing back on increases. Staff harder to find, more expensive to keep, and asking for the kind of work that doesn’t exist in a commodity managed service anymore.

The economics don’t recover. They get worse. Because the AI tooling that’s eating the work is also reducing the cost of delivery for the few players who lean into it — meaning the price floor keeps dropping. An MSP charging eighty dollars a seat for traditional managed services is competing against a competitor charging forty, who has automated most of the same work, who is competing against a Microsoft partner bundling Copilot at a price point that makes the conversation moot.

What survives

I’m not saying every MSP is gone by 2030. I’m saying the shape most of them have today is gone. What survives is something different. Advisory businesses that help SMBs use Copilot well. Specialists who can wire up Power Automate flows that actually move the needle for a client. Security-led practices that go deep instead of wide. Firms that have stopped selling time and started selling outcomes.

Those businesses look almost nothing like the typical SMB MSP of 2025. Different revenue model, different staff mix, different conversations with clients. The ones quietly making that turn now will be fine. The ones still arguing about whether AI is overhyped will not.

I’d rather have the uncomfortable conversation in 2026 than the unavoidable one in 2029. If you run an MSP, the next eighteen months are when the work gets done — or doesn’t.

The task app you already bought four times

MAI_fc3e22436f18508c

Open most small businesses and you’ll find the same thing. Someone’s running their personal to-dos in To Do. The team’s tracking a project on a Planner board. A manager’s got a Trello tab open. And somebody just expensed a Monday.com seat.

Four tools. One job. Nobody can see the whole picture.

Here’s what most people missed. Microsoft quietly folded To Do, the old Planner, Tasks in Teams and Project for the web into a single app — and just called it Planner. One place. No new licence.

That’s not a rebrand. That’s four subscriptions your clients can stop paying for.

And if they’re on a Microsoft 365 Business plan, they already own it.

What is the new Planner, really?

Think of it as one task list that finally spans the messy middle between “remind me to call the accountant” and “ship the office move by March”.

At the bottom sits your personal stuff — the same tasks that used to live in To Do, now showing up under My Tasks and My Day. In the middle are shared plans your team works from together. At the top, if you ever need it, full project scheduling with timelines and dependencies.

Same app. You just go as deep as the job needs.

Here’s the real win for an SMB. The thing you were about to buy Asana for? It’s the middle tier, and it’s already switched on.

Step-by-Step: putting tasks where the work happens

The mistake is opening Planner as its own app and treating it like another silo. Don’t. Put it where the team already talks.

Find the app

In Microsoft Teams, click Apps on the left rail, search for Planner, and add it. Until April 2024 this was the clunkily-named “Tasks by Planner and To Do” — same app, now just Planner. You’ll also find it on the web at planner.cloud.microsoft if you want it in its own tab.

Pin it to a channel

This is the step that changes everything. Open the channel where the team already works — say your client’s Marketing channel — click the + at the top, and add a Planner tab.

Now the plan lives inside the conversation. No app-switching. No “where’s that board again”. The tasks sit right next to the chat about them.

Build the plan

Create a plan, add a few buckets — To Do, Doing, Done works fine — and start dropping in tasks. Assign people, set due dates, done.

Know which tier you’re on

This is where people get nervous about cost. They shouldn’t. Here’s the line:

Included with Microsoft 365:  Grid, Board, Schedule, Charts
Needs a paid Planner plan:    Timeline, People, Goals, dependencies, sprints

Notice what’s missing? There’s no licence to buy for the everyday stuff. Boards, grids, a schedule view and basic charts are all in the box. You only pay if a client genuinely needs Gantt charts and dependencies — and most never will. The admin documentation spells out exactly what sits where.

Why this actually changes behaviour

“Which app has the project in it again?”

When that question disappears, something shifts.

Tasks stop being scattered across four tools and start living in one place the team already opens fifty times a day. Your personal to-dos, your team’s plans, even your old Project schedules — one pane.

For an MSP, this is a quietly brilliant client conversation. You’re not selling anything new. You’re showing them they’ve been paying a third party for something Microsoft already bundles. That builds trust faster than any upsell ever will.

And the migration worry? There isn’t much of one. Your old Planner boards are already there. To Do items flow in on their own. Project for the web has been retired straight into Planner. You’re not moving anything — it already moved.

If you’re rolling out Microsoft 365 and you’re not showing clients this, you’re leaving them to pay for Trello out of habit.

The new Planner isn’t there to give your clients another task app. It’s there to let them close the other three.

The Difference Between a Direction and a Walk

image

I’ve been watching people coach lately. Mine and other people’s. Inside teams, on calls, in coaching sessions, in the small handovers that happen between desks. And the same pattern keeps surfacing, in versions large and small.

We give directions. We rarely take the walk.

A direction is the polite, efficient gesture — the link in chat, the screenshot with an arrow, the “have a look at this, it explains it well”. It assumes the person on the other end has the time, the focus, and the confidence to follow the trail to the end. Most of the time, they don’t. Most of the time, they were asking because the trail is exactly what they’ve been struggling with.

Taking the walk is different. It means putting down what you were doing, getting up out of your chair (literally or in the digital equivalent of it), and going with them. It is slower, it is less elegant, and it is the thing that almost always works.

Why this hits hardest with Copilot right now

The reason this is sitting on top of my mind is what I’m seeing inside Microsoft 365 rollouts. Copilot is now embedded across Outlook, Word, Excel, Teams, OneNote, Loop — every surface a knowledge worker touches. The interface is right there. The documentation is right there. The training videos are right there.

And the gap is still enormous.

That gap isn’t a documentation problem. It’s a companionship problem. People know Copilot is in their email. What they don’t know is what to type when they actually have to reply to a customer who is upset, or summarise a three-week Teams thread, or pull the relevant lines out of a contract sitting in SharePoint. They need a person beside them the first time. Not afterwards. Not in a wiki. The first time.

When you sit next to somebody — sharing a screen in Teams works just as well as sitting at the same desk — and you open Copilot in their inbox, in front of their actual unread emails, two things happen. First, the prompt becomes specific. Generic prompt libraries are useless; their prompt for their email at this moment is electric. Second, they see you make a mistake, refine it, try again, and get somewhere usable. That’s the part documentation never teaches.

The handover is part of the coaching

The other thing I’ve come to value is the handover. Coaching isn’t finished the moment somebody can do the thing once. It’s finished when they have somewhere to go the second time.

In Microsoft 365 that means leaving a trail the next person — or the same person on a different morning — can pick up. Pin the prompt you just shaped together into a Loop component the team can see. Drop a note in their Teams channel calling out what worked. Connect them with the colleague who is already three months ahead. The point is that the next time they reach for help, the path ahead is already lit.

What I’m trying to do less of

I’m catching myself in the act of pointing more often than I’d like to admit. The instinct to send the link is strong; it costs me nothing, it looks like I helped, and it gets the conversation off my plate.

But the version of me that other people actually need isn’t the one with the curated bookmarks. It’s the one prepared to push the chair back and say, fine, let’s go and look at it together.

That’s the coaching that compounds. Everything else is signage.

Copilot Cowork Just Hit GA — and CSP-Managed Tenants Are Hitting a Billing Wall

copilot-cowork-csp-billing-header

Why “Your organization is managed by your solution provider” appears, why the customer’s own Azure subscription won’t save you, and the exact partner-side fix.

The symptom

Here’s a scenario that is going to land on a lot of MSP desks over the coming weeks. You have a client who has been happily using Microsoft 365 Copilot Cowork while it was in preview. They love it. They want to roll it out to more people. Then Cowork moves into General Availability, and suddenly they can’t add any new users to it. When they go digging in the Microsoft 365 admin centre, into the Copilot section to sort out billing, they are met with this brick wall:

The exact message

“Your organization is managed by your solution provider. Copilot credit setup for organizations managed by a solution provider must be set up by your provider. Contact your provider to enable consumption-based AI services for your organization.” The kicker is that this particular client already has a perfectly good pay-as-you-go Azure subscription sitting in their tenant. So the natural reaction is: I have an Azure subscription, I have billing, why is Microsoft telling me to phone a friend? The short version is that this is not a bug, it is not a permissions problem, and it is not something the client can click their way out of. It is a commerce-channel issue, and the resolution lives with whoever holds the CSP relationship — which, for most of us reading this, means it lives with us.

What actually changed at GA

When Cowork was in preview, the gloves were off — people could use it without the full commercial billing plumbing being in place. At GA, Microsoft moved Cowork behind what they call usage-based billing, powered by Copilot Credits. This is the same consumption model that sits alongside fixed per-user Copilot licensing. Worth noting precisely: as it stands today, this usage-based billing method only applies to Copilot Cowork and the Work IQ API — it is not the whole Copilot estate. Microsoft has said more agents and services will be folded into this model over time, but right now Cowork is the headline reason an MSP will trip over this.

How the new billing model is wired up

Usage-based billing is managed from a new node in the Microsoft 365 admin centre: Copilot, then Cost Management. That is where an admin activates a default spending policy, sets monthly and per-user spending limits, configures alert thresholds, and — critically — chooses a billing method. The billing method is an Azure subscription. Copilot Credits are drawn against that subscription on a pay-as-you-go basis (with optional pre-purchase plans layered on top for discounting, but ignore that for now). So the whole thing hinges on one question: which Azure subscription is allowed to be the billing method? And that is exactly where a CSP-managed tenant comes unstuck.

Why the client’s existing Azure subscription doesn’t help

This is the bit that catches people out, so it is worth being precise. The client genuinely has an Azure subscription. But the Copilot Cost Management setup, in a CSP-managed tenant, will not let them attach it — because that subscription is almost certainly on the wrong commerce channel. When a tenant is managed under the Cloud Solution Provider program, Microsoft routes all consumption commerce — Azure, marketplace, and now these AI services — through the partner’s Microsoft Partner Agreement billing account. A subscription the customer signed up for directly (a credit-card MOSP or direct Microsoft Customer Agreement Azure sub) is a completely separate billing relationship that the partner does not own. The commerce platform sees the tenant flag that says “this org is CSP-managed”, looks for a billing source on the partner channel, doesn’t find one, and throws up the “managed by your solution provider” gate. The presence of some other Azure subscription in the tenant is irrelevant to that check.

The mental model: who owns the commerce channel

If you keep one diagram in your head, make it this one. A CSP-managed customer’s consumption billing has to originate from an Azure plan that the partner provisions under their Microsoft Partner Agreement. The Azure plan gives the customer access to Azure services at pay-as-you-go rates under a Microsoft Customer Agreement, and the resulting Azure subscription lives in the customer tenant but invoices back to the partner. That partner-channel subscription is the only thing the Copilot Cost Management billing-method picker will accept for a CSP tenant. Here is how the three channels compare:

– Billing channel
– Who owns it
– Works as Cowork billing method in a CSP tenant?

Direct / MOSP Azure (customer’s own credit card)
The customer
No — wrong channel, not visible to the CSP gate

Direct Microsoft Customer Agreement (Azure direct)
The customer
No — tenant is flagged CSP-managed, so this is bypassed

Azure plan under Microsoft Partner Agreement (CSP)
The partner (you)
Yes — this is the channel the gate is looking for

The fix, step by step (partner side)

Assuming you are the CSP for this client, the resolution is to provision an Azure plan and an Azure subscription for them through the partner channel, then point Copilot Cost Management at it. Work through these in order:

  • Confirm the Microsoft Customer Agreement is accepted. In Partner Center, open Customers, select the customer, and check the Microsoft Customer Agreement status on their Account page. You cannot purchase an Azure plan until the MCA is in place — invite them to sign it directly with Microsoft if it isn’t.

  • Purchase the Azure plan. In Partner Center, with the customer selected, choose Add products, set Segment to Commercial, find Azure plan, add to cart, Review and Buy. If the customer already has an active Azure plan, skip to the next step.

  • Create an Azure subscription under that Azure plan. Sign in to the Azure portal with your Partner Center (Admin agent) credentials, making sure you are in your partner directory, not the customer’s. Go to Cost Management + Billing, pick the billing scope for the account where the customer sits, open Customers, select the customer, then All billing subscriptions, and choose Add. Pick a Usage based / Azure subscription with the plan set to Microsoft Azure Plan, then Review and create.

  • Lean on AOBO for the Azure rights. Subscriptions you create through CSP grant Admin-on-Behalf-of, which gives any Admin agent in your partner tenant Owner rights on that subscription automatically. That satisfies the setup wizard’s requirement for Owner or Contributor on the Azure subscription and resource group — no extra role assignment needed.

  • Configure usage-based billing in the customer’s M365 admin centre. Go to Copilot, then Cost Management, and select Get Started. In the Billing method section choose the new CSP Azure subscription. Set a sensible monthly spending limit, a per-user spending limit, and alert recipients and thresholds, then Activate. The Cowork block clears and you can add users again.

Prerequisites worth double-checking before you start

Setup will fail at the last hurdle if any of these are missing, so confirm them up front:

  • On the Microsoft 365 side, the person running the Cost Management setup needs Global administrator or Billing administrator. AI administrator and License administrator can create spending policies and manage limits, but they cannot set or change the billing method.

  • The tenant must have at least one SharePoint licence, or a licence that includes SharePoint. This is a real prerequisite for the Copilot billing node, and easy to overlook on a lean tenant.

  • You need Owner or Contributor on both the Azure subscription and a resource group in it. Via CSP and AOBO this is automatic, but if you have deliberately stripped AOBO and are using Lighthouse or directory accounts instead, make sure the identity doing the setup actually has those rights.

  • An Azure resource group must exist in the subscription — the wizard can create one for you during setup if needed.

Direct CSP vs indirect reseller — know which one you are

There is an important fork here. If you are a direct-bill CSP partner, you hold the Microsoft Partner Agreement billing account yourself and you run every step above in your own Partner Center. If you are an indirect reseller sitting underneath a distributor or indirect provider, you do not own that billing account — the Azure plan purchase is initiated through your indirect provider’s flow, not your own Partner Center billing scope. In that case you coordinate with your distributor to get the Azure plan provisioned, and then you can still handle the Azure subscription creation and the customer-side Cost Management configuration. And if it turns out a completely different provider holds the CSP relationship for this client, then none of this is yours to fix directly — that provider has to provision the Azure plan, or the CSP relationship needs to be transferred to you first.

Gotchas and things I’d watch

A few practical landmines that are easy to step on with this new model:

  • Budgets notify, they don’t stop. A budget on a billing policy triggers email alerts at the thresholds you set, but by default it does not enforce a hard cap or interrupt service. If you want a genuine ceiling, use the monthly spending limit and per-user limits in the Cost Management spending policy, which can actually cut access when hit.

  • Set a per-user limit on day one. The whole point of consumption billing is that a single enthusiastic user can run up real spend. The per-user monthly limit is optional in the wizard, but for an MSP managing someone else’s bill, treat it as mandatory.

  • Region selection is sticky. When you create the billing policy you choose a region that determines where tenant ID and usage data are stored, and you cannot edit the subscription or resource group tied to a policy afterwards. Get it right the first time.

  • Turning pay-as-you-go off is not instant. Disconnecting a service from a billing policy can take up to two hours to actually stop users, so don’t panic if access lingers briefly after you flip it off.

  • Pre-purchase plans layer on top, they are not an either/or. If cost predictability matters, a Copilot Credit pre-purchase plan gives discounted credits that are consumed first, with pay-as-you-go catching any overage. You don’t have to choose one or the other.

The takeaway

This is going to be a recurring support ticket. Cowork going GA is good news, but the GA billing model assumes the customer can attach their own Azure subscription — and for CSP-managed tenants that assumption simply doesn’t hold, no matter how many Azure subscriptions are already sitting in the tenant. The fix is entirely on the partner side: provision an Azure plan and subscription through the CSP channel, then point Copilot Cost Management at it. If you manage Microsoft 365 customers through CSP and any of them are using Cowork, get ahead of this now, because the moment GA flips the billing requirement on, their ability to add users stops until you’ve done the plumbing. As always, plan it, test it on one tenant, and document the steps so your L1 team can repeat them.