Month: April 2025

Copilot agent stuck on Waiting for user

Screenshot 2025-04-26 083251

I’ve been working on an autonomous action in Copilot Studio and found that it seems ot get stuck on”Waiting for user” as shown above.

Screenshot 2025-04-26 083410

When I open that activity, again you’ll see that it says “Waiting on user”

Screenshot 2025-04-26 083508

If I go to the top right and select Transcript from the menu as shown above.

Screenshot 2025-04-26 082748

I see these two buttons, as shown above. Problem is, neither of them actually do anything! this appears to be a bug.

The solution is to put your browser into developer mode. Search the element for the text:

copilotstudio.microsoft.com/c2

This the start of the URL that the button should use. Copy that elment and paste it into Notepad.

Screenshot 2025-04-26 084058

Remove everything but teh URL like so:

Screenshot 2025-04-26 084153

Copy that URL and paste it into a new browser tab in the same session and you should now see the following page:

Screenshot 2025-04-26 084517

You will probably see that it isn’t connected as shown above. if so, click the Connect button to reconnect the service.

Screenshot 2025-04-26 084309

When it properly connected it should appear as shown above and now your Copilot Studio action should work and no longer be paused at Waiting for user going forward.

A huge shout out to Shervin Shaffie from Microsoft whose YouTube video provide the solution for me. The video is here:

https://youtu.be/4s7Qa_cYZyQ?si=4-TSkrr-T6_CNqdD&t=1320

at timestamp 22:00 where he walks through fixing the problem as I have outlined in this blog post.

Hopefully, Microsoft is now aware of this issue and will resolve it soon.

What is the ideal structure for collaboration services in Microsoft 365

image

There isn’t a single “one-size-fits-all” perfect structure, as the ideal setup depends heavily on your organization’s size, culture, industry, compliance needs, and specific work patterns. However, a widely recommended and effective approach revolves around using **Microsoft Teams as the central hub for collaboration**, leveraging other services in specific, defined roles.

Here’s a breakdown of the ideal structure and the role of key services:

Core Principle: Teams as the Primary Collaboration Interface (“Hub”)

Think of Microsoft Teams as the user’s primary window into collaboration for specific groups, projects, or departments. It brings together chat, meetings, files, and apps into one place.

1. Microsoft Teams:

  • Purpose: Day-to-day teamwork, project collaboration, communication within defined groups.

  • Structure:
    • Teams: Create Teams based on organizational structure (departments), major cross-functional projects, or long-term initiatives. Avoid creating too many Teams initially.

    • Channels (Standard): Use channels within a Team to organize conversations and files by specific topics, workstreams, or sub-projects. The “General” channel is for announcements and onboarding.

    • Channels (Private): Use sparingly for focused collaboration within a subset of the Team members when privacy is needed for conversations and files.

    • Channels (Shared): Use for collaborating securely with specific internal or external people/teams without giving them access to the entire parent Team. Ideal for specific vendor collaborations or joint projects with partners.

    • Tabs: Pin frequently used files, SharePoint pages/lists, Planner boards, websites, and other apps as tabs within relevant channels for easy access.
  • Usage: Chat, channel conversations (persistent discussions), scheduled and ad-hoc meetings, screen sharing, integrating apps (like Planner, Forms, Power BI).

2. SharePoint Online:

  • Purpose: The underlying content management service for Teams, intranets, document repositories, and business process automation.

  • Structure:
    • Team Sites (Group-Connected): Every Microsoft Team automatically gets a SharePoint Team Site. This site’s default document library powers the “Files” tab in all standard channels within that Team. Use this site for storing team-specific documents, creating related lists, pages, and news.

    • Communication Sites: Used for broader communication – company intranets, HR portals, department landing pages. Designed for a smaller number of creators and a large audience. Not directly tied to a single Team’s collaboration flow but can be linked to from Teams.

    • Hub Sites: Connect related Team Sites and Communication Sites to provide unified navigation, search, and branding. Essential for building a cohesive intranet and information architecture.
  • Usage: Storing and managing all files shared within a Team’s standard channels, building intranet portals, creating sophisticated document libraries with metadata and views, managing lists, powering Power Automate workflows, long-term knowledge management.

Key Relationship: Teams & SharePoint Files shared or created in a standard Teams channel live in the corresponding SharePoint Team Site’s document library. Teams provides the contextual interface, while SharePoint provides the robust file management backend (versioning, metadata, permissions, compliance features).

3. OneDrive for Business:

  • Purpose: Personal work file storage, draft documents, ad-hoc sharing with individuals.

  • Structure: User’s individual cloud storage space. Users organize with folders.

  • Usage: Storing individual work files (“My Documents” in the cloud), drafting documents before they are ready for team collaboration, sharing files with one or a few specific individuals (internal or external) on a limited basis, syncing files for offline access.

  • Avoid: Using OneDrive as the primary storage location for official team or project files. Once a file is ready for collaboration or becomes an official team resource, move/copy it to the relevant Teams/SharePoint library.

4. Outlook / Exchange Online:

  • Purpose: Formal communication, external communication, calendaring, personal task management (integrating with To Do).

  • Structure: Individual mailboxes, shared mailboxes (for roles like info@, support@), M365 Group mailboxes (for receiving group emails).

  • Usage: Sending formal announcements, communicating with external parties, scheduling meetings (which are often Teams meetings), managing personal calendars and tasks. Less ideal for iterative, real-time team discussions (use Teams chat/channels instead).

5. Planner / To Do:

  • Purpose: Task management.

  • Structure:
    • Planner: Create Plans and add them as tabs within Teams channels for tracking team tasks related to that channel’s topic or project.

    • To Do: Aggregates tasks assigned to you in Planner, flagged emails from Outlook, and tasks you create manually for personal task management.
  • Usage: Assigning, tracking, and organizing team tasks (Planner); managing individual workload and priorities (To Do).

6. Yammer (Viva Engage):

  • Purpose: Broader, organization-wide communication, communities of practice, social engagement, leadership connection.

  • Structure: Communities based on interests, topics, large departments, or social groups.

  • Usage: Open discussions, Q&A forums, sharing knowledge across organizational silos, company-wide announcements, building culture. Generally not for focused, task-oriented project collaboration (use Teams for that).

Essential Supporting Elements for an Ideal Structure:

  1. Governance: Clear policies on Team/Site creation, naming conventions, external sharing, guest access, lifecycle management (archiving/deletion).

  2. Information Architecture: Planning how sites connect (Hub Sites), use of metadata for findability, navigation strategy.

  3. Security & Compliance: Utilizing M365 Groups for permissions, configuring sensitivity labels, retention policies, Data Loss Prevention (DLP).

  4. User Training & Adoption: Crucial for success. Users need guidance on “when to use what” and best practices. Change management is key.

In Summary – The “When to Use What” Guideline:

  • Inner Loop (Your immediate team, project): Use Teams for chat, meetings, channel conversations, and accessing team files/apps. Files live in the connected SharePoint site. Use Planner within Teams for team tasks.

  • Your Personal Work: Use OneDrive for drafts and personal storage. Use To Do and Outlook Calendar for personal organization. Use Outlook for formal/external email.

  • Outer Loop (Broader organization, communities): Use Yammer (Viva Engage) for broad discussions and communities. Use SharePoint Communication Sites (often via an Intranet) for official news and resources. Use Outlook for org-wide formal email announcements.

Implementing this structure requires planning, clear governance, and consistent user education, but it leads to a more organized, efficient, and secure collaboration environment in Microsoft 365.

Use AI to provide better spam protection and detection with exchange online

image

Let’s break down how AI enhances spam and phishing protection within Microsoft Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO), along with configuration examples.

How AI Powers Spam/Phishing Protection in Exchange Online

Instead of just relying on static rules (like blocking specific keywords or known bad IPs), AI (specifically Machine Learning models) introduces several powerful capabilities:

  1. Advanced Pattern Recognition: AI models analyze vast amounts of global email data (billions of messages daily) from Microsoft’s network. They identify subtle and evolving patterns associated with spam, phishing, malware, and impersonation attempts that rule-based systems would miss. This includes:

    • Linguistic Analysis: Understanding the nuances of language, tone, urgency cues, grammatical errors common in phishing, and topic shifts often used to bypass simple filters.

    • Structural Analysis: Examining message headers, sending infrastructure reputation, URL structures, attachment types, and email formatting anomalies.

    • Behavioural Analysis: Learning normal communication patterns for your organization and flagging deviations (e.g., a sudden email from the “CEO” asking for gift cards, which is out of character).

  2. Adaptive Learning: Spammers constantly change tactics. AI models continuously learn and adapt to these new threats in near real-time, significantly reducing the window of vulnerability compared to waiting for manual rule updates. When new spam campaigns emerge, the models retrain based on newly classified samples.

  3. Contextual Understanding: AI helps differentiate between legitimate and malicious use of similar content. For example, an “invoice” email from a known supplier vs. a generic “invoice” from an unknown sender with a suspicious link. AI considers sender reputation, recipient history, link destinations, etc.

  4. Impersonation Detection (MDO): This is heavily AI-driven.

    • User Impersonation: Mailbox Intelligence learns the frequent contacts and communication style of protected users (e.g., executives). It flags emails claiming to be from that user but originating externally or exhibiting unusual patterns.

    • Domain Impersonation: AI detects attempts to use domains that look very similar to your own (e.g., yourc0mpany.com instead of yourcompany.com) or legitimate external domains (e.g., spoofing a well-known supplier).

  5. Enhanced Heuristics & Reputation: AI refines the calculation of Spam Confidence Levels (SCL) and Bulk Complaint Levels (BCL) by incorporating more complex signals than just IP/domain blocklists. It considers the “neighborhood” of sending IPs, historical sending behavior, and feedback loops (user submissions, junk reports).

  6. Zero-Hour Auto Purge (ZAP): Even if a malicious email initially bypasses filters and lands in an inbox, AI continues analyzing signals. If the message is later identified as spam or phishing (often through updated AI models or user reports), ZAP can automatically pull it from user mailboxes.

Specific Configuration Examples (Using the Microsoft 365 Defender Portal)

Most AI capabilities are inherently part of the features. You don’t toggle “AI On/Off,” but you configure the policies that leverage AI.

Prerequisites:

  • Access to the Microsoft 365 Defender portal (https://security.microsoft.com).

  • Appropriate permissions (e.g., Security Administrator, Global Administrator).

  • Note: Some advanced features (like Impersonation, Safe Links, Safe Attachments) require Microsoft Defender for Office 365 Plan 1 or Plan 2 licenses, beyond the basic EOP included with Exchange Online.

Example 1: Tuning Anti-Spam Inbound Policy (Leverages AI for SCL)

AI determines the SCL score based on numerous factors. You configure the actions based on those AI-determined scores.

  1. Navigate to Email & collaboration > Policies & rules > Threat policies > Anti-spam.

  2. Select the Anti-spam inbound policy (Default) or click Create policy > Inbound for a custom policy.

  3. In the policy settings, locate the Bulk email threshold & spam properties section and click Edit actions.

  4. Spam Confidence Level (SCL) Actions:
    • Spam: Action: Move message to Junk Email folder (Recommended Default). SCL levels typically 5, 6.

    • High confidence spam: Action: Quarantine message (Recommended). SCL levels typically 7, 8, 9. You could choose Redirect message to email address, Delete message, or Move message to Junk Email folder. Quarantine is generally safest.

    • AI Impact: The determination of which message gets an SCL of 5 vs. 7 vs. 9 is heavily AI-driven based on content, sender, structure, etc.
  5. Bulk Complaint Level (BCL) Threshold: Set a threshold (e.g., 6 or 7). Messages exceeding this BCL (often unwanted marketing mail) will take the specified action (e.g., Move message to Junk Email folder). AI helps differentiate bulk from true spam.

  6. Zero-hour auto purge (ZAP): Ensure “Enable for spam messages” and “Enable for phishing messages” are turned On. This allows AI to retroactively remove messages.

  7. Save the changes.

Example 2: Configuring Anti-Phishing Policy (Leverages AI for Impersonation & Spoofing)

Requires MDO licenses for advanced features.

  1. Navigate to Email & collaboration > Policies & rules > Threat policies > Anti-phishing.

  2. Click Create to make a new policy (recommended) or edit the Default policy.

  3. Phishing threshold & protection:
    • Enable spoof intelligence: Ensure this is On. AI helps identify and classify spoofing attempts (legitimate vs. malicious). You can review/override its findings later under “Spoof intelligence insight”.

    • Impersonation Protection (Key AI Area):
      • Click Edit next to Users to protect. Click Manage sender(s) and add email addresses of key personnel (CEO, CFO, HR Managers, up to 350). AI (Mailbox Intelligence) learns their communication patterns.

      • Click Edit next to Domains to protect. Add your own company domains and consider adding custom domains that are visually similar or frequently targeted. AI flags emails spoofing these domains or using lookalike domains.
      • Enable Mailbox Intelligence: Ensure this is On. This activates the AI learning for the protected users’ contact graphs and communication patterns.

      • Enable intelligence for impersonation protection: Ensure this is On. Uses AI to improve detection based on learned senders/patterns.
    • Actions: Configure actions for detected impersonation (User/Domain) and spoofing. Recommended actions often include Quarantine the message or Redirect message to administrator address and displaying safety tips.
  4. Advanced phishing thresholds: Set the level (e.g., 2: Aggressive, 3: More aggressive, 4: Most aggressive). Higher levels use more sensitive AI/ML models but might increase false positives. Start with 1: Standard or 2: Aggressive and monitor.

  5. Assign the policy to specific users, groups, or the entire domain.

  6. Save the policy.

Example 3: Enabling Safe Links & Safe Attachments (Leverages AI for Analysis)

Requires MDO licenses. These features use sandboxing (detonation) and URL reputation checks, heavily augmented by AI analysis.

  1. Safe Attachments:

    • Navigate to Email & collaboration > Policies & rules > Threat policies > Safe Attachments.

    • Click Create or edit an existing policy.

    • Choose an action like Block (blocks email with detected malware) or Dynamic Delivery (delivers email body immediately, attaches placeholder until attachment scan completes – often preferred for user experience).

    • Enable Redirect messages with detected attachments and specify an admin mailbox for review if desired.

    • Apply the policy to users/groups/domains.

    • AI Impact: AI models perform static analysis before detonation and analyze the behavior of the file during detonation in the sandbox to identify novel/zero-day malware.

  2. Safe Links:

    • Navigate to Email & collaboration > Policies & rules > Threat policies > Safe Links.

    • Click Create or edit an existing policy.

    • Ensure On: Safe Links checks a list of known, malicious links when users click links in email is selected under URL & click protection settings.

    • Enable Apply Safe Links to email messages.

    • Enable Apply real-time URL scanning for suspicious links and links that point to files. (This uses AI and other heuristics).

    • Configure Wait for URL scanning to complete before delivering the message (more secure, slight delay) or leave it off (less secure, no delay).

    • Choose actions for malicious URLs within Microsoft Teams and Office 365 Apps if applicable.

    • Configure Do not rewrite the following URLs for any trusted internal/external sites that break due to rewriting (use sparingly).

    • Apply the policy to users/groups/domains.

    • AI Impact: AI powers the reputation lookups and real-time scanning analysis of URLs, identifying phishing sites, malware hosts, and command-and-control servers even if they aren’t on a static blocklist yet.

Key Takeaways:

  • AI is Integrated: You configure features like Anti-Spam, Anti-Phishing, Safe Links/Attachments, and AI works behind the scenes within those features.

  • MDO is Crucial: The most advanced AI-driven protections (impersonation, advanced phishing detection, Safe Links/Attachments) require Microsoft Defender for Office 365 licenses.

  • Configuration is Tuning: You adjust thresholds (SCL, BCL), enable specific protections (Impersonation), and define actions (Quarantine, Junk, Delete).

  • Monitor & Adapt: Regularly review quarantine, user submissions (use the Report Message Add-in!), and threat reports in the Defender portal to fine-tune policies and understand how AI is performing in your environment. Feedback helps the AI models learn.

By leveraging these AI-powered features and configuring them appropriately, you can significantly improve your organization’s defense against increasingly sophisticated spam and phishing attacks in Exchange Online.

Honouring the ANZAC Legacy: Reflections on ANZAC Day 2025

ANZAC Day, observed on April 25th, stands as one of Australia and New Zealand’s most significant national commemorations. The 2025 observance marks 110 years since the Australian and New Zealand Army Corps (ANZAC) landed on the shores of Gallipoli during World War I, a campaign that has become foundational to both nations’ identities and cultural heritage.

The Historical Significance of ANZAC Day

ANZAC Day commemorates the landing of Australian and New Zealand forces at Gallipoli on April 25, 1915. This military campaign, while ultimately unsuccessful from a strategic standpoint, has come to symbolize the courage, sacrifice, and camaraderie that defines the “ANZAC spirit.”

The Gallipoli campaign was the first major military engagement for Australia as a newly federated nation. Though it resulted in significant casualties—with approximately 8,700 Australian and 2,700 New Zealand soldiers losing their lives—the campaign has been recognized as a pivotal moment in shaping national consciousness. As we mark 110 years since this historic landing, the significance of this sacrifice continues to resonate across generations.

2025 Commemorations Across Australia

This year’s ANZAC Day remembrances continue the tradition of nationwide ceremonies, with particularly notable events marking the 110th anniversary. Dawn services, a tradition dating back to the 1920s, have seen strong attendance nationwide. These solemn ceremonies begin in the early morning darkness, symbolizing the original landing time at Gallipoli, and culminate as the sun rises—representing hope after sacrifice.

Major metropolitan areas including Sydney, Melbourne, Brisbane, Perth, and Adelaide are hosting significant marches featuring veterans from various conflicts, their descendants, and current service members. The Australian War Memorial in Canberra serves as a focal point for national observances, with the customary wreath-laying ceremony and commemorative addresses that acknowledge both historical sacrifices and ongoing service.

Expanding the ANZAC Legacy for Modern Times

While ANZAC Day began as a commemoration specifically for those who served at Gallipoli, it has evolved to honor all Australians and New Zealanders who have served and sacrificed in military operations. The 2025 commemorations particularly highlight:

  • World War II veterans, whose numbers have dwindled significantly as we approach the 80th anniversary of the war’s end

  • Korean War veterans, now mostly in their 90s

  • Vietnam War veterans, many now in their 70s and 80s

  • Veterans of more recent conflicts in Iraq and Afghanistan

  • Personnel involved in humanitarian assistance and disaster relief operations

  • Peacekeepers who have served in various international missions

This year’s commemorations have placed special emphasis on the psychological impact of military service, with increased recognition of the mental health challenges many veterans face and the importance of community support systems.

The Evolving Tradition of ANZAC Day

The 2025 observances maintain the traditional elements integral to ANZAC Day while incorporating contemporary approaches to remembrance:

  • The Last Post and One Minute’s Silence: These solemn traditions continue to form the emotional core of ceremonies

  • The Ode and Poppy Tributes: The recitation of “They shall grow not old…” and the laying of poppies remain powerful symbols of remembrance

  • Digital Commemorations: Virtual reality experiences of historical battlefields are now available at major museums, allowing visitors to better understand the conditions faced by the original ANZACs

  • Intergenerational Programs: Structured opportunities for veterans to share experiences with school children have expanded, ensuring the living transmission of memory

  • Indigenous Recognition: Increased acknowledgment of Aboriginal and Torres Strait Islander service members, who served despite facing discrimination at home

Community and Technological Engagement

The 2025 ANZAC Day demonstrates how technology continues to transform commemoration while maintaining essential traditions. Digital archives accessible via smartphones now allow attendees at ceremonies to look up individual service records and learn specific stories about those being honoured. Social media campaigns encouraging Australians to share family military histories have created a vast, collective digital memorial.

Communities across Australia and New Zealand are also focusing on practical support for veterans, with numerous fundraising initiatives for organizations that provide mental health services, housing assistance, and employment transition programs for returned service members.

International Dimensions

ANZAC Day 2025 is being commemorated at significant international sites including:

  • The Gallipoli Peninsula in Turkey, where a special 110th anniversary service has drawn thousands of Australians and New Zealanders

  • The Sir John Monash Centre at Villers-Bretonneux in France, which continues to educate visitors about Australia’s contribution to the Western Front

  • Various Commonwealth war cemeteries worldwide

The ongoing positive relationship between Australia, New Zealand, and Turkey continues to demonstrate how former adversaries can forge respectful bonds through shared remembrance.

Looking Forward: The Next Century of Remembrance

As we move further into the second century since the Gallipoli landings, ANZAC Day 2025 reflects ongoing efforts to keep the observance meaningful for new generations. Educational initiatives now incorporate augmented reality elements that allow young people to “experience” historical events in immersive ways, while maintaining respect for their gravity.

The Australian government has recently expanded funding for the preservation of war memorials and historical sites, recognizing that physical places of remembrance remain powerful even in our digital age. Additionally, research programs studying the long-term impacts of military service continue to inform better support systems for veterans.

A Day of Unity

In an era of increasing global tensions, ANZAC Day 2025 serves as a reminder of the costs of conflict and the value of peace. Political leaders have emphasized in their addresses that remembering sacrifice should inspire commitment to diplomatic solutions and international cooperation.

As dawn broke across Australia and New Zealand this ANZAC Day, the words “Lest We Forget” echoed once again at ceremonies large and small. In commemorating those who served 110 years ago at Gallipoli, as well as all who have served since, Australians and New Zealanders continue to affirm their commitment to the values of courage, resilience, mateship, and sacrifice that have become central to the national character.

The ANZAC legacy lives on not just in ceremonies, but in how these values continue to inspire service and sacrifice for the greater good in everyday life, reminding us that the best way to honor those who served is to build the peaceful, just society they fought to defend.

How to manage multiple M365 tenants using inbuilt Microsoft tools

image

Okay, let’s break down how to effectively and securely manage multiple Microsoft 365 (M365) tenants using Microsoft’s integrated and add-on tools, especially when multiple employees need access.

The cornerstone solution for this scenario is Azure Lighthouse. It’s specifically designed for service providers (like MSPs) or enterprise IT teams managing multiple tenants.

Here’s a breakdown of the tools and strategies:

1. Azure Lighthouse (The Foundation)

  • What it is: Azure Lighthouse allows you to manage customer (or subsidiary) Azure and M365 resources from within your own management tenant. It uses Azure Delegated Resource Management.

  • How it works:
    • You (the managing organization) define access roles and permissions for your employees (organized into Microsoft Entra ID groups) within your tenant.

    • You create an “offer” (either a Managed Service offer in the Azure Marketplace or an ARM template deployment) that specifies these roles and the scope (subscriptions, resource groups, or entire tenant for some M365 workloads).

    • The customer/managed tenant accepts this offer, delegating the defined permissions to your specified groups/users in your tenant.
  • Key Benefits:
    • Centralized Management: Your employees log in only to your primary management tenant. They don’t need separate accounts or guest accounts in each customer tenant.

    • Enhanced Security:
      • Reduces credential sprawl (fewer accounts to manage/compromise).

      • Enables consistent application of security policies (like MFA, Conditional Access) from your tenant for your employees accessing customer resources.

      • Uses least privilege principles by assigning specific Azure built-in roles with appropriate permissions.

      • Activity logs in the customer tenant clearly show actions performed by users from your managing tenant.
    • Scalability: Easily onboard new customer tenants and assign permissions to your employee groups.

    • Cross-Tenant Visibility: View resources and alerts across multiple delegated tenants in unified dashboards (e.g., Azure Portal, Microsoft Sentinel).

2. Key Integrated Tools Leveraged with Lighthouse:

  • Azure Portal (portal.azure.com):

    • Directory + Subscription Filter: Your employees can easily switch context between different customer directories/subscriptions they have delegated access to.

    • Azure Resource Management: Manage Azure resources (VMs, networking, storage, etc.) within delegated subscriptions.

    • Microsoft Entra ID Management: Perform delegated Entra ID tasks in customer tenants (user management, group management, etc., depending on assigned roles like User Administrator, Helpdesk Administrator).

    • Service Health: Monitor the health of Azure services across delegated subscriptions.

  • Microsoft 365 Admin Centers (Accessed via Delegation):

    • While Lighthouse primarily delegates Azure roles, many M365 services are managed via Azure RBAC or have corresponding Azure AD roles that grant access.

    • Your employees, using their single login, can often access customer M365 admin centers (like admin.microsoft.com, Exchange Admin Center, SharePoint Admin Center, Teams Admin Center, security.microsoft.com, compliance.microsoft.com) if they have been assigned appropriate delegated Entra ID roles (e.g., Global Reader, Exchange Administrator, Teams Administrator, Security Administrator). The context switching happens within the respective admin portals.

  • Microsoft Sentinel:

    • Cross-Workspace Incident Viewing: If you deploy Sentinel workspaces in customer tenants, Lighthouse allows you to view and manage incidents across multiple workspaces from your managing tenant’s Sentinel instance.

    • Centralized SIEM: You can configure data connectors in each managed tenant to forward logs (Entra ID, M365 Defender, etc.) to a central Sentinel workspace in your management tenant for unified threat detection and response. This often requires specific permissions or configurations within the managed tenant.

  • Microsoft Defender Portals (security.microsoft.com / Microsoft 365 Defender & compliance.microsoft.com / Microsoft Purview):

    • Lighthouse delegation (with appropriate roles like Security Administrator/Reader, Compliance Administrator) allows your employees to access these portals for managed tenants.

    • While full cross-tenant unified views within these specific portals are still evolving, delegation significantly simplifies access compared to managing separate accounts. Some multi-tenant views are emerging, particularly for MSPs using Defender for Endpoint.

  • Microsoft Defender for Cloud:

    • Assess the security posture of Azure resources across delegated subscriptions.

    • Manage security policies and recommendations centrally.

3. Essential Supporting Tools & Practices:

  • PowerShell (Microsoft Graph SDK, Azure Az, Exchange Online, etc.):
    • Automation: Crucial for performing tasks at scale across multiple tenants (e.g., applying a standard configuration, running reports, user management).

    • Authentication: Use your managing tenant credentials combined with the delegated tenant ID to connect and manage resources programmatically. Service Principals in your managing tenant can also be granted delegated permissions via Lighthouse for automated tasks. Use secure authentication methods (certificates, managed identities where applicable) instead of interactive logins or stored credentials for scripts.
  • Microsoft Graph API:
    • The underlying API for Azure and M365. Use it directly or via SDKs (like the PowerShell SDK) for complex automation and integration scenarios across tenants. Again, authentication leverages the Lighthouse delegation.
  • Microsoft Entra ID Features (in your Managing Tenant):
    • Security Groups: Create groups for different support tiers or roles (e.g., “Tier 1 Support”, “Exchange Admins”, “Security Analysts”). Assign Lighthouse delegated permissions to these groups, not individual users. Managing group membership is easier than managing individual permissions across many tenants.

    • Conditional Access Policies: Enforce MFA, device compliance, location restrictions, etc., for your employees when they access any resources, including delegated customer tenants. This is a major security benefit.

    • Privileged Identity Management (PIM): Use PIM in your managing tenant to provide just-in-time (JIT) access to the Azure AD groups that hold the delegated Lighthouse permissions. This further enhances security by ensuring elevated privileges are only active when needed and for a limited time.

    • Access Reviews: Regularly review who has access to the delegated permission groups in your tenant.

4. Implementation Strategy:

  1. Design Your Management Structure: Define roles and responsibilities for your employees. Create corresponding Microsoft Entra ID security groups in your management tenant.

  2. Define Lighthouse Offers: Determine the necessary Azure built-in roles (e.g., Reader, Contributor, User Access Administrator, specific service admin roles) needed for each employee group. Create ARM templates or Managed Service offers for delegation.

  3. Onboard Customer Tenants: Deploy the ARM templates to or have customers accept the Managed Service offers in their respective tenants. This establishes the delegation.

  4. Configure Security in Your Tenant: Implement robust Conditional Access policies and PIM for the groups assigned delegated permissions.

  5. Train Your Staff: Ensure employees understand how to use the Azure Portal directory switcher, how delegated permissions work, and the security protocols (MFA, PIM activation).

  6. Leverage Automation: Identify repetitive tasks and automate them using PowerShell/Graph API with delegated credentials or service principals.

  7. Utilize Centralized Monitoring: Configure Sentinel or other monitoring tools to gain cross-tenant visibility.

In Summary:

Azure Lighthouse is the core Microsoft technology enabling secure and efficient multi-tenant management. By combining it with the Azure Portal, M365 admin centers, Sentinel, Defender, PowerShell, and robust Microsoft Entra ID security features (Groups, CA, PIM) within your managing tenant, you can provide your employees with streamlined, secure access to manage multiple customer environments effectively.

Governing AI usage with Microsoft 365 Business Premium

image

Here’s the best way to leverage M365 Business Premium for AI governance, covering both Microsoft’s AI (like Copilot) and third-party services:

Core Principle: Governance relies on controlling Access, protecting Data, managing Endpoints, and Monitoring activity, layered with clear Policies and user Training.

1. Establish Clear AI Usage Policies & Training (Foundation)

  • What: Define acceptable use policies for AI. Specify:

    • Which AI tools are approved (if any beyond Microsoft’s).

    • What types of company data (if any) are permissible to input into any AI tool (especially public/third-party ones). Prohibit inputting sensitive, confidential, or PII data into non-approved or public AI.

    • Guidelines for verifying AI output accuracy and avoiding plagiarism.

    • Ethical considerations and bias awareness.

    • Consequences for policy violations.
  • How (M365 Support):
    • Use SharePoint to host and distribute the official AI policy documents.

    • Use Microsoft Teams channels for discussion, Q&A, and announcements regarding AI policies.

    • Utilize tools like Microsoft Forms or integrate with Learning Management Systems (LMS) for tracking policy acknowledgment and training completion.

2. Control Access to AI Services

  • Microsoft AI (Copilot for Microsoft 365):
    • What: Control who gets access to Copilot features within M365 apps.

    • How:
      • Licensing: Copilot for M365 is an add-on license. Assign licenses only to approved users or groups via the Microsoft 365 Admin Center or Microsoft Entra ID (formerly Azure AD) group-based licensing. This is your primary control gate.
  • Third-Party AI Services (e.g., ChatGPT, Midjourney, niche AI tools):
    • What: Limit or block access to unapproved external AI websites and applications.

    • How (M365 BP Tools):
      • Microsoft Defender for Business: Use its Web Content Filtering capabilities. Create policies to block categories (like “Artificial Intelligence” if available) or specific URLs of unapproved AI services accessed via web browsers on managed devices.

      • Microsoft Intune:
        • For company-managed devices (MDM): You can configure browser policies or potentially deploy endpoint protection configurations that restrict access to certain sites.

        • If third-party AI tools have installable applications, use Intune to block their installation on managed devices.
      • Microsoft Entra Conditional Access (Requires Entra ID P1 – included in M365 BP):
        • If a third-party AI service integrates with Entra ID for Single Sign-On (SSO), you can create Conditional Access policies to block or limit access based on user, group, device compliance, location, etc.

        • Limitation: This primarily works for AI services using Entra ID for authentication. It won’t block access to public web AI services that don’t require organizational login.

3. Protect Data Used With or Generated By AI

  • What: Prevent sensitive company data from being leaked into AI models (especially public ones) and ensure data handled by approved AI (like Copilot) remains secure.

  • How (M365 BP Tools):
    • Microsoft Purview Information Protection (Sensitivity Labels):
      • Classify Data: Implement sensitivity labels (e.g., Public, General, Confidential, Highly Confidential). Train users to apply labels correctly to documents and emails.

      • Apply Protection: Configure labels to apply encryption and access restrictions. Encrypted content generally cannot be processed by external AI tools if pasted. Copilot for M365 respects these labels and permissions.
    • Microsoft Purview Data Loss Prevention (DLP):
      • Define Policies: Create DLP policies to detect sensitive information types (credit card numbers, PII, custom sensitive data based on keywords or patterns) within M365 services (Exchange, SharePoint, OneDrive, Teams) and on endpoints.

      • Endpoint DLP (Crucial for Third-Party AI): Configure Endpoint DLP policies to monitor and block actions like copying sensitive content to USB drives, network shares, cloud services, or pasting into web browsers accessing specific non-allowed domains (like public AI websites). You can set policies to block, warn, or just audit.

      • Copilot Context: Copilot for M365 operates within your M365 tenant boundary and respects existing DLP policies and permissions. Data isn’t used to train public models.
    • Microsoft Intune App Protection Policies (MAM – for Mobile/BYOD):
      • Control Data Flow: If users access M365 data on personal devices (BYOD), use Intune MAM policies to prevent copy/pasting data from managed apps (like Outlook, OneDrive) into unmanaged apps (like a personal browser accessing a public AI tool).

4. Manage Endpoints

  • What: Ensure devices accessing company data and potentially AI tools are secure and compliant.

  • How (M365 BP Tools):
    • Microsoft Intune (MDM/MAM): Enroll devices (Windows, macOS, iOS, Android) for management. Enforce security baselines, require endpoint protection (Defender), encryption, and patching. Non-compliant devices can be blocked from accessing corporate resources via Conditional Access.

    • Microsoft Defender for Business: Provides endpoint security (Antivirus, Attack Surface Reduction, Endpoint Detection & Response). Helps protect against malware or compromised endpoints that could exfiltrate data used with AI.

5. Monitor and Audit AI-Related Activity

  • What: Track usage patterns, potential policy violations, and data access related to AI.

  • How (M365 BP Tools):
    • Microsoft Purview Audit Log: Search for activities related to file access, sensitivity label application/changes, and DLP policy matches (including Endpoint DLP events showing attempts to paste sensitive data into blocked sites). While it won’t show what was typed into an external AI, it shows attempts to move sensitive data towards it.

    • Microsoft Defender for Business Reports: Review web filtering reports to see attempts to access blocked AI sites.

    • Entra ID Sign-in Logs: Monitor logins to any Entra ID-integrated AI applications.

    • Copilot Usage Reports (via M365 Admin Center): Track adoption and usage patterns for Microsoft Copilot across different apps.

Summary: The “Best Way” using M365 Business Premium

  1. Foundation: Start with clear Policies and Training. This is non-negotiable.

  2. Control Access: Use Licensing for Copilot. Use Defender Web Filtering and potentially Intune/Conditional Access to restrict access to unapproved third-party AI.

  3. Protect Data: Implement Sensitivity Labels to classify and protect data at rest. Use Endpoint DLP aggressively to block sensitive data from being pasted into browsers/unapproved apps. Use Intune MAM for BYOD data leakage prevention.

  4. Secure Endpoints: Ensure devices are managed and secured via Intune and Defender for Business.

  5. Monitor: Regularly review Purview Audit Logs, DLP Reports, and Defender Reports for policy violations and risky behavior.

Limitations to Consider:

  • No foolproof blocking: Highly determined users might find ways around web filtering (e.g., personal devices not managed, VPNs not routed through corporate controls).

  • Limited insight into third-party AI: M365 tools can block access and prevent data input but cannot see what users do inside an allowed third-party AI tool or analyze its output directly.

  • Requires Configuration: These tools are powerful but require proper setup, configuration, and ongoing management.

By implementing these layers using the tools within Microsoft 365 Business Premium, you can establish robust governance over AI usage, balancing productivity benefits with security and compliance needs.

Microsoft Global Secure Access and M365 Business Premium

image

What is Microsoft Global Secure Access (GSA)?

Microsoft Global Secure Access is Microsoft’s Security Service Edge (SSE) solution. Think of it as a modern, cloud-native security perimeter that helps organizations secure access to any application or resource, regardless of where the user or the resource is located. It’s part of the broader Microsoft Entra product family (which also includes Entra ID, formerly Azure AD).

GSA converges networking and security capabilities, moving away from traditional perimeter-based security (like on-premises firewalls and VPNs) towards a model centered on identity and delivered from Microsoft’s global network edge.

It primarily consists of two core services:

  1. Microsoft Entra Internet Access: Secures access to the public internet, SaaS applications, and Microsoft 365 apps. It acts like a cloud-based Secure Web Gateway (SWG), filtering traffic, applying security policies, and protecting users from web threats.

  2. Microsoft Entra Private Access: Provides secure, Zero Trust Network Access (ZTNA) to private corporate resources (applications hosted on-premises or in IaaS environments) without needing traditional VPNs.

Benefits of Microsoft Global Secure Access:

GSA offers significant advantages, especially for organizations embracing hybrid work and cloud adoption:

  1. Enhanced Security Posture (Zero Trust Alignment):

    • Granular Access Control: Moves beyond simple network access (like VPNs grant) to application-level access based on strong identity verification (user, device health, location) enforced by Microsoft Entra Conditional Access.

    • Reduced Attack Surface: Eliminates the need to expose private applications directly to the internet or grant broad network access via VPNs. Users only get access to the specific resources they are authorized for.

    • Consistent Policy Enforcement: Apply unified security policies (like requiring MFA, compliant devices, etc.) across M365 apps, SaaS apps, internet browsing, and private resources.

    • Threat Protection: Entra Internet Access provides security features like web content filtering, malicious site blocking, and integration with Microsoft’s threat intelligence to protect users browsing the web.

  2. Improved User Experience:

    • Faster & More Direct Access: Leverages Microsoft’s vast global network. Traffic is routed optimally to the nearest Microsoft Point of Presence (PoP) and then directly to the resource (M365, SaaS, internet, or private app via connector), often resulting in lower latency than backhauling traffic through a central VPN concentrator.

    • Seamless Connectivity: Users connect automatically via the GSA client without the often clunky manual connection process of traditional VPNs.

    • Works Anywhere: Provides consistent security and access experience whether the user is in the office, at home, or traveling.

  3. Simplified Management & Operations:

    • Unified Console: Managed directly within the Microsoft Entra admin center alongside identity and other security settings.

    • Reduced Infrastructure Complexity: Eliminates or reduces the need to manage complex on-premises VPN concentrators, firewalls, and web proxies.

    • Cloud-Native Scalability: Scales automatically with your needs without requiring hardware upgrades.

    • Integrated Logging & Reporting: Provides centralized visibility into access patterns and security events across different resource types.

  4. Cost Savings (Potential):

    • Consolidation: Can potentially replace multiple point solutions (VPN, SWG, ZTNA products) with a single integrated platform.

    • Reduced Infrastructure Costs: Lower operational overhead associated with managing on-premises security appliances.

  5. Better Integration with Microsoft Ecosystem:

    • Deep Conditional Access Integration: GSA network conditions (like “compliant network”) can be used as signals within Conditional Access policies for richer context-aware authorization.

    • Leverages Entra ID: Builds directly on your existing identity foundation in Microsoft Entra ID.

Enabling Global Secure Access with M365 Business Premium License:

This is where it gets a bit nuanced, as licensing for GSA features has evolved. Here’s the breakdown relevant to M365 Business Premium:

  1. Prerequisite – Microsoft Entra ID P1: M365 Business Premium includes Microsoft Entra ID P1. This is the foundational requirement for using Global Secure Access features.

  2. Included Functionality (as of recent updates):

    • Microsoft Entra Internet Access for Microsoft 365 Traffic: A significant update (announced around May 2024) is that the capability to secure Microsoft 365 traffic (SharePoint Online, Exchange Online, Teams) through GSA, and use the source IP restoration feature, is now included with all Microsoft Entra ID licenses (Free, P1, P2). This means your M365 Business Premium license covers securing your M365 traffic via GSA and applying Conditional Access policies based on GSA signals for M365 apps.

  3. Functionality Requiring Additional Licenses:

    • Microsoft Entra Internet Access for All Internet Traffic: To secure all outbound internet and SaaS app traffic (beyond just M365), you generally need a specific Microsoft Entra Internet Access license (available as P1 or P2 standalone add-ons). This provides the full SWG capabilities like web content filtering across all sites.

    • Microsoft Entra Private Access: To secure access to your private, on-premises, or IaaS-hosted applications, you need a Microsoft Entra Private Access license (available as P1 or P2 standalone add-ons).

    • Bundles: These GSA licenses are often bundled within higher-tier licenses like Microsoft 365 E3 or E5, or available for purchase separately.

    In summary for M365 Business Premium: You get the Entra ID P1 prerequisite and the ability to secure M365 traffic via GSA included. For full internet traffic protection or private app access, you typically need to purchase GSA-specific add-on licenses.

How to Enable and Configure (Assuming Necessary Licenses):

The enablement process happens within the Microsoft Entra admin center (entra.microsoft.com):

  1. Prerequisites Check:

    • Ensure you have the necessary licenses (M365 Business Premium for the base + potentially GSA add-ons depending on your goals).

    • You need appropriate administrative roles (e.g., Global Administrator, Security Administrator, or the specific Global Secure Access Administrator roles).

  2. Activate Global Secure Access:

    • Navigate to the Microsoft Entra admin center.

    • Go to Global Secure Access (Preview) in the left-hand navigation pane. (Note: It might still be labeled “Preview” even as features GA).

    • If it’s your first time, you might see an activation screen. Click Activate to enable the GSA features for your tenant.

  3. Configure Traffic Forwarding Profiles:

    • Under Global Secure Access, go to Connect > Traffic forwarding.

    • Here you manage how client traffic gets sent to the GSA service. You’ll see profiles like:

      • Microsoft 365 profile: This is likely enabled by default if you have the appropriate license (like M365 BP). It directs M365 traffic through GSA.

      • Internet access profile: You need to explicitly enable this if you want all internet traffic forwarded (requires the Entra Internet Access license).

      • Private access profile: Enable this if you want to route traffic to private resources (requires the Entra Private Access license).

  4. Deploy the Global Secure Access Client:

    • Under Global Secure Access, go to Connect > Client download.

    • Download the GSA client for Windows.

    • Deploy this client to your end-user devices (e.g., via Intune, included in M365 Business Premium). The client automatically captures traffic based on the enabled forwarding profiles and sends it to the GSA service edge.

  5. Configure Internet Access Policies (If Licensed for Full Internet Access):

    • Navigate to Global Secure Access > Secure.

    • Web content filtering policies: Create policies to block specific categories of websites.

    • Security profiles: Link Conditional Access policies to enforce security requirements for internet access.

  6. Configure Private Access (If Licensed):

    • This is more involved:

      • Install Connectors: Go to Connect > Connectors. Download and install the lightweight Entra Private Access Connector agent on a server(s) within your private network that has access to the target applications.

      • Configure Connector Groups: Organize your connectors.

      • Define Enterprise Applications: Go to Applications > Enterprise applications in Entra ID. Create/configure representations of your private apps.

      • Configure Quick Access or Global Secure Access Apps: Under Global Secure Access > Applications > Quick Access (for simple setup) or Global Secure Access Apps (for per-app configuration), define which private apps should be accessible via GSA and link them to the appropriate connector groups. Assign users/groups to these apps.

  7. Integrate with Conditional Access:

    • Go to Protection > Conditional Access in the Entra admin center.

    • When creating or editing policies, under Conditions > Locations, you can now configure it to include “All Compliant Network locations“. This represents traffic coming through GSA.

    • You can create policies like “Require MFA if accessing App X unless connecting from a Compliant Network (GSA)”.

  8. Monitor and Report:

    • Use the Monitor section within Global Secure Access to view traffic logs, connectivity health, and reports.

Important Considerations:

  • Licensing is Key: Double-check the latest Microsoft licensing documentation or consult with a Microsoft partner/representative. Licensing details, especially for newer services like GSA, can change. What’s included in M365 Business Premium today regarding GSA might evolve.

  • Preview Status: Some GSA components might still be in public preview, meaning they are subject to change and might not have full support SLAs yet.

  • Client Deployment: Plan your rollout of the GSA client to end-user devices.

  • Network Configuration: Ensure firewalls allow outbound traffic from the GSA client (port 443) and from the Private Access connectors (outbound 443).

By leveraging Global Secure Access, even with just the M365 traffic protection included in Business Premium, you start aligning with Zero Trust principles and enhance security for your Microsoft 365 environment. Adding the full Internet and Private Access capabilities provides a comprehensive SSE solution.