The Lessons Only Show Up After You Commit

Someone said to me recently that the things you experience from actually going all in on something will change the way you think and the way you experience life. I sat with that for a few days, and I keep coming back to how true it is. The lessons I’ve learnt that actually shaped me — the ones I still use — never arrived from reading about them or watching someone else do it. They arrived after I committed. After I hit publish on the video. After I greenlit the project. After I said yes to the thing that might not work.

You can’t think your way to the lesson

For years I noticed a pattern in my own work. The plans that lived in a Word doc were always cleaner than the plans I actually shipped. The launches I’d rehearsed in my head were always smoother than the ones in the wild. But the rehearsal never taught me anything. The shipping did. You only find out what your audience actually wants once you put something in front of them. You only find out where the workflow breaks once a real client sits in it on a Tuesday morning.

This is where I think a tool like Copilot has quietly changed how I move. I used to delay things because the draft email wasn’t right, the outline wasn’t sharp enough, the slides weren’t worth showing yet. Now I’ll ask Copilot in Outlook to give me a first pass on a reply, sit with it for a minute, and send something that’s eighty per cent of where it needs to be. I’ll spin up a rough deck in PowerPoint with Copilot drafting from a Word doc I’ve already written, and I’ll show it to someone for feedback the same afternoon instead of next week. The point isn’t that Copilot writes the thing for me. The point is that it removes the excuse to keep polishing before I commit.

Not every bet pays off — and that’s the lesson

I’ve greenlit plenty of projects that didn’t go anywhere. Videos that landed flat. Ideas I was sure would resonate that quietly didn’t. If I’d waited for certainty on any of them, I wouldn’t have learnt what my audience actually responds to. I wouldn’t know which formats earn attention and which ones don’t. I wouldn’t have built the muscle of recovering from a miss and trying again the next week.

What I notice now in clients I work with is the same pattern. The teams that are getting real value from Microsoft 365 and Copilot aren’t the ones who ran a six-month readiness program. They’re the ones who picked a use case, tried it inside Teams or in a SharePoint workspace, watched what happened, and adjusted. They committed first and refined second. The ones still building the business case in a Loop component are usually the ones falling further behind.

The shift is in your thinking

Going all in changes you because it forces you to live with the result. You learn what works because you watched it land. You learn what doesn’t because you felt it. That kind of knowledge doesn’t come from analysis — it comes from being in the arena.

I’d rather ship something imperfect this week and know what to fix next week, than spend a month protecting an idea that never meets the world. Every meaningful jump I’ve made in my business started with that decision. Hit publish. Greenlight it. Find out.

Privileged Identity Management (PIM) for Entra roles

Walk into most SMB tenants and check who holds Global Administrator. You’ll find at least one. Often three. Sometimes more. All permanent. All active. All the time.

That’s standing privilege. And it’s the biggest gift you can hand a token thief.

Most MSPs I talk to know about Privileged Identity Management. They’ve seen it in the Entra admin centre. They just don’t switch it on for clients, because they assume it’s an enterprise thing — too expensive, too complicated, too overkill for a 25-seat business.

Wrong on all three.

What is PIM, really?

PIM is just-in-time admin access. You stop being a Global Administrator all day every day, and start being eligible for it. When you need the role, you put yourself in for a fixed window, with a justification and a record. A few hours later it drops off. You’re back to a normal user.

That’s not least privilege as a slogan. That’s least privilege as a clock.

You can layer MFA on activation, approval workflows where one admin signs off on another’s elevation, and access reviews that quietly remind you each quarter that someone’s eligibility hasn’t been used in 90 days. All portal-driven. No scripts. Microsoft’s overview of PIM is worth a read, but the licensing point is the one that trips everyone up.

PIM needs Entra ID P2 or Entra ID Governance. That’s not in Business Premium. But — and this is the part MSPs miss — you only need to licence the admins, not every seat. Three admin accounts is your premium. Compare that to one incident.

Step-by-step: switching on PIM for Global Administrator

Run through this in the Entra admin centre. Sign in as a Global Administrator and licence the admin accounts you want under PIM first.

Park a break-glass account

Before touching a role, create a dedicated break-glass admin. Permanent active Global Administrator. Long random password in your password manager. Excluded from every Conditional Access policy. Document it somewhere you can find at 2am.

This is the one account PIM doesn’t touch. Skip this step and you’ll lock yourself out the first time MFA goes sideways.

Open ID Governance

ID Governance → Privileged Identity Management → Microsoft Entra roles → Roles.

Configure role settings for Global Administrator

Select Global Administrator → Role settings → Edit. Microsoft documents every option here; the ones that earn their keep look like this:

Activation maximum duration:   4 hours
Require MFA on activation:     Yes
Require justification:         Yes
Require approval to activate:  Yes (2 approvers, not self)
Permanent eligible assignment: Disallowed
Notification on activation:    All Global Admins

Notice what’s missing? PowerShell. None of this needs it.

Move existing GAs from active to eligible

Assignments → find each Global Administrator → use the assign roles flow to make them eligible instead. Same permissions — only when they ask for them.

Schedule an access review

Under Access reviews, set up a quarterly review of all eligible Global Administrators. Configure it to auto-remove on no response. The clients who think this is overkill are the clients who’ll have an ex-staffer with admin rights twelve months from now.

Why this actually changes behaviour

PIM isn’t a tool. It’s a posture. The second a Global Admin has to type a reason and wait for approval, two things happen — they stop using GA for the trivial stuff, and someone else sees every elevation.

“But our admins will hate this.”

They’ll hate it for a week. Then they’ll forget it’s there, because activation is two clicks. And the first time you can prove with an audit log that no privileged account was active during an incident, you’ll wonder how you ran tenants any other way.

A standing Global Admin is a key under the doormat. PIM is the locksmith.

If you’re not setting this up for your clients, you’re leaving the front door open and calling it security.

Entra ID backup just turned up in your Business Premium tenant

A few weeks ago I logged into a Business Premium tenant to do something completely unrelated and noticed a new node in the Entra portal: Backup and Recovery. No upsell banner, no add-on prompt, no “contact your reseller”. Just there. Sitting under Identity governance like it had always been part of the furniture.

That’s the bit worth pausing on. Microsoft has quietly turned identity backup into table stakes for every BP tenant. Notice what’s missing? An invoice.

For years the conversation around protecting your directory has been someone else’s product pitch. Third-party backup vendors built entire businesses on the fact that Microsoft wouldn’t restore a Conditional Access policy you nuked at 4pm on a Friday. Now Microsoft is restoring it for you.

What is Entra Backup and Recovery, really?

It’s a daily snapshot of the configuration that runs your tenant’s identity. Users, groups, applications, service principals, Conditional Access policies, named locations, the authentication methods policy — the things that, when they go missing, take down sign-in for your whole client base.

Five days of retention. Tamper-resistant. No global admin can switch it off, no compromised account can wipe the safety net before the bad thing happens. That’s not a feature. That’s governance.

Important caveats so you don’t sell something that isn’t there. Hard-deleted objects are gone — the recycle bin still does its 30-day job for users and groups, but Backup is for configuration recovery, not undeleting things. Hybrid identity synced from on-premises AD has limitations. Workforce tenants only — not B2C or External ID. And it’s currently in Public Preview, so treat it like one. The official overview is worth a read before you stand in front of a client.

A daily snapshot you can’t disable is more honest than a backup product you forget to renew.

Step-by-Step: turning it on for a Business Premium tenant

1. Sign into the Entra admin centre

Use a Global Administrator account. Navigate to Identity governance → Backup and Recovery. If the node isn’t there yet, give the tenant a day — rollout is staged.

2. Enable the service

It’s a single switch. Once enabled, the first snapshot is captured within 24 hours. There’s nothing to license — Business Premium already includes Entra ID P1, which is the bar.

3. Assign the right roles

There are two purpose-built ones: Microsoft Entra Backup Reader and Microsoft Entra Backup Administrator. Don’t hand recovery rights to every Global Admin out of habit. Restoring a Conditional Access policy from a five-day-old snapshot is exactly the sort of move you want logged against a named, scoped role.

4. Run a Difference Report before you restore anything

This is the part that earns its keep. Before recovering an object, the portal shows you what will change — what’s in the snapshot, what’s live, and where they disagree. You see the diff before you click. The supported objects and limitations(opens in new window) page tells you exactly what’s in scope.

Why this actually changes behaviour

Here’s the real win. The reason MSPs have been selling backup-for-Entra add-ons is fear — what if? That conversation gets harder when Microsoft has put a tamper-resistant safety net in the box.

My recommendation? Stop selling fear. Start showing governance. Walk your BP clients through their backup status, the role separation, and the recovery flow for applications and service principals. It takes ten minutes and it positions you as the person who knew this was already there, not the person trying to bolt something on top.

That’s not a product conversation. That’s an advisor conversation.

The relief, when you find it, isn’t the relief of buying a safety net. It’s the relief of finding one you didn’t have to install.

Microsoft Fabric: Turning Your Business Data into Decisions (Without the Headaches)

Most small and medium businesses already have plenty of data.

It lives in your accounting system, your CRM, Microsoft 365, spreadsheets, and half a dozen other apps you rely on every day. The problem isn’t a lack of data — it’s that turning that data into clear, trusted answers is still harder than it should be.

That’s where Microsoft Fabric comes in.

Despite the grand name, Fabric isn’t about “big data” or enterprise complexity. It’s Microsoft’s attempt to fix a very real, very common SMB problem: why is it still so hard to get reliable answers from our own business systems?

The real problem Fabric is trying to solve

In most SMBs, reporting looks like this:

Sales has their numbers
Finance has a different set of numbers
Operations has spreadsheets that “mostly” line up
Meetings start with arguing over which report is correct

Even when Power BI is in use, it’s often built on fragile spreadsheets, duplicated datasets, or one‑off solutions held together by good intentions and caffeine.

The issue isn’t the tools — it’s the lack of a single source of truth.

What Microsoft Fabric actually is (in simple terms)

Microsoft Fabric is a single platform that brings together:

Data from all your systems
Secure storage for that data
Reporting and dashboards (via Power BI)
Analytics and forecasting
AI‑assisted insights

Instead of bolting tools together, Fabric gives you one shared data foundation that everything else plugs into.

Think of it as the difference between:

Twenty shared spreadsheets passed around by email
and
One trusted set of numbers everyone agrees to use

Why this matters for SMBs (not just big enterprises)

Fabric isn’t about doing more reporting. It’s about doing less work for better answers.

For SMBs, the benefits are very practical:

1. Everyone works from the same numbers

Sales, finance, and leadership stop arguing about whose report is right, because they’re all looking at the same underlying data.

2. Better use of Power BI

Power BI becomes a decision‑making tool, not just a chart generator built on shaky spreadsheets.

3. Faster answers to real business questions

Questions like:

Are we actually profitable by customer?
Which products are quietly costing us money?
Where are we growing — and where are we stalling?

become easier to answer without weeks of manual effort.

4. AI that’s useful, not gimmicky

Fabric includes AI features that help explain trends and surface insights — not replace your judgement, but support it.

What Fabric is not

Let’s be clear about expectations.

Microsoft Fabric is:

❌ Not a magic fix for messy data
❌ Not “set and forget”
❌ Not something every small business needs on day one

Fabric makes sense when your business:

Relies on multiple systems
Is growing or changing
Needs better visibility to make confident decisions

If Excel still works for you, that’s fine. Fabric is for when Excel no longer does.

The bigger picture

For years, businesses have collected more and more data while decision‑making hasn’t actually improved. Fabric is Microsoft’s attempt to close that gap — by simplifying how data is stored, shared, and analysed.

Used properly, it helps turn reporting from:

“What happened last month?”

into:

“What should we do next?”

And that’s where real business value lives.

New Publication–Microsoft Sentinel: Complete Setup and Configuration Guide for MSP Technicians

https://directorcia.gumroad.com/l/sentstart

Unlock the full power of Microsoft Sentinel for your MSP business with the most comprehensive, step-by-step deployment guide available for 2026!

Are you a Managed Service Provider (MSP) or IT professional looking to deliver world-class security operations for small and medium-sized businesses? This expertly crafted guide is your essential companion for deploying, configuring, and optimizing Microsoft Sentinel—the industry-leading cloud-native SIEM and SOAR platform.

Why This Guide Stands Out

Written for Real-World MSPs: Every step is documented in plain language, with nothing assumed. Whether you’re deploying Sentinel for the first time or streamlining repeat rollouts, you’ll find clear, actionable instructions.
Covers End-to-End Deployment: From Azure prerequisites and licensing to advanced analytics, cost management, and multi-tenant monitoring with Azure Lighthouse, every phase is covered in detail.
Cost Optimization & Best Practices: Learn how to maximize free data allowances, avoid common billing pitfalls, and implement proven strategies for cost control—critical for SMB environments.
Security-First Approach: Includes robust incident response runbooks, troubleshooting guides, and security hardening tips tailored for MSPs managing multiple customers.
Ready-to-Use Checklists & Templates: Accelerate onboarding with a 30-minute Quick Start Checklist, recommended analytics rules, and workbook templates for reporting and monitoring.
Up-to-Date for 2026: Reflects the latest Microsoft Sentinel features, pricing models, and compliance requirements—including Australian data residency and privacy law guidance.

Key Features

Audience: MSP tier-2/3 technicians, security analysts, and IT consultants
Licensing Focus: Microsoft 365 Business Premium (Defender for Business included)
Time to Deploy: 2–4 hours for initial setup; 30 minutes/week ongoing
Comprehensive Coverage: Prerequisites, infrastructure, connectors, analytics, workbooks, incident management, cost optimization, and more
Bonus Content: KQL query library, troubleshooting appendix, and compliance checklists

Who Should Buy This Guide?

MSPs seeking a repeatable, best-practice Sentinel deployment process
IT professionals responsible for SMB security operations
Consultants and trainers delivering Microsoft security solutions
Organizations wanting to reduce risk, improve detection, and control costs

Transform your MSP security practice and deliver true SIEM-as-a-Service with confidence. Get your copy of the Microsoft Sentinel Complete Setup and Configuration Guide today!

See all the titles available at – https://directorcia.gumroad.com/

Unlocking AI Power: My first attempt at a Multi-Model Prompting App with Azure AI Foundry

Video = https://www.youtube.com/watch?v=l8nh2sbO-Go

Join me as I walk you through the innovative AI app I’ve been developing! In this video, I demonstrate how you can send prompts to a variety of large language models—or even leverage an agent with grounded data—for smarter, more accurate responses. You’ll see how the model router selects the best LLM for your needs, compare outputs from different models like GPT OSS120B and DeepSeek-R1, and discover the advantages of using agents with real data sources. Plus, I showcase user-friendly features like exporting results, saving prompts, and customizing your workspace. Whether you’re an AI enthusiast or just curious about the latest in prompt engineering, this demo will inspire you to explore new possibilities with Azure AI Foundry!

I’m looking for feedback on whether this type of app has value and what additional features and functionality could be added? Let me know in the comments.

Getting AI Foundry local working

A while ago I wrote an article about a PowerShell script I wrote that will extract JSON security configuration data from a tenant and feed that into an agent I had created using Azure AI foundry. That articles is here:

https://blog.ciaops.com/2026/01/22/combining-powershell-and-ai-for-m365-security-analysis/

I spend time on how I could get it working for anyone, given the model was inside my environment. I offered that access for free and have had no real takers.

Ok, I thought, maybe it ie because people are uncomfortable unloading private security data into ‘my model’, so then I created a script that just extracts the security configuration data, which you can find here:

https://blog.ciaops.com/2026/01/23/powershell-script-to-extract-m365-security-data-for-your-own-ai-analysis/

This way you can take that configuration data, along with some prompts I also provided, and feed that into your AI wherever that may be. When you do this with the Essential 8 prompt I provided the results look like this:

https://blog.ciaops.com/2026/01/25/essential-8-ai-report-via-powershell/

My next step, for those who may also desire their AI model to be local, was to look at Microsoft Foundry Local. This allows you to use your local compute resources (CPU, GPU and NPU if you have it) and run AI model on that machine.

First in the process is to instal lFoundry local which you can do at the command prompt via:

winget install Microsoft.FoundryLocal

next you need to select a model you wish to use. You can find all the models here:

https://www.foundrylocal.ai/models

Initially, I tried Phi 4 but couldn’t get it to load. This probably due to it size and lack of resources I have locally on my device. Instead I went for phi-4-mini. You download the model you wish via the command:

foundry model download phi-4-mini

when I ran this I actually got the phi-4-mini-instruct

You’ll also see that I got the version that runs on my GPU. The card for this model is here:

To actually get this model to run I used the command:

foundry model run phi-4-mini

and after a few moments I was greeted with:

so I typed in the following prompt and got the following answer:

So, it works as expected.

When I do prompt the local model I see my GPU utilisation spike like so:

Some observations so far about running local AI model

– Foundry local makes it pretty easy to get started with Ai models on yoru device

– It consumes significant local compute resources to run even the most basic AI model locally

– It is slow

– The results to prompts are limited

– It is all command line based

Now, that doesn’t mean local AI models don’t have a place and won’t improve but seeing the performance of these local models compared the online versions give you an appreciation for how much compute the online versions must have behind them! It has also demonstrated to me, finally, the reason that you may desire a device with a local NPU processor. I would expect to see some AI models pushed locally and connected back to online AI services in the future, so I now get the point of having a local NPU on the device. Would be interesting to test Foundry Local on a device with an NPU to see how much better it perform better if at all?

With Foundry Local now up and running on my machine, the next challenge is to try and create a script that again extract security information from Microsoft 365 but then feed it into the Foundry Local AI rather than an online model to see what the output and performance is like.

In short, I now see better what running local AI looks like but from what I see, it still needs a significant amount of compute to make sense when compared to anything online. It will be interesting to compare the online AI analysis of Microsoft 365 security data with local AI analysis. I think that will give me a much better appreciate for the value of a ‘business’ implementation of local AI services.

Combining PowerShell and AI for M365 Security Analysis

I’ve used AI to create smart Microsoft 365 expert technical agents which I have deployed to Teams for CIAOPS Patrons:

I’ve also created a smart Microsoft 365 expert technical agent that you can use for free via email:

https://blog.ciaops.com/2025/06/11/get-your-m365-questions-answered-via-email-2/

simply by putting your question in the body of an email and sending it to robert.agent@ciaops365.com.

Now, I have integrated AI into my PowerShell scripts! Let me explain what I’ve done.

I’ve created an agent in Azure AI Foundry that is ‘grounded’ with all my M365 knowledge that is in the CIAOPS Patron community. I’ll cover off what I have learned about Azure AI Foundry in another post.

Next, I created a PowerShell script that firstly logs into a tenant to be inspected,

extracts all the security information like Secure Score details, Conditional Access policies and more,

bundles all that up into a single JSON file (about 8MB in size)

and then connects to my Foundry agent and uploads that extracted data for analysis

After analysis it generates and displays an extensive HTML report

which looks like:

and you can find a complete copy of to review at here, because it is too large for this post:

https://github.com/directorcia/Office365/blob/master/Analysis/secure-score-foundry.png

I’ve configured my Foundry agent to use a ‘Model router’, meaning that the agent uses what it things is the best LLM to do the analysis automatically.

The report include Prioritized recommendations:

A visualized Remediation Roadmap:

and whole lot more. I encourage you to take a moment and study the example output for yourself, which is AI generated.

I am now building similar AI analysis scripts for al M365 services like Exchange, SharePoint, etc and plant expand these over time.

Here’s the best part. As part of my testing process I am happy to make this Secure Score AI Analysis script available to a select few who read this and send me an email (director@ciaops.com) asking for a copy. You’ll need to be comfortable with PowerShell and have the MSGraph module already installed to run the script. Even better for the select few that do respond – I’ll give you access to my Azure AI Foundry agent for FREE to do the analysis. There are some conditions you’ll need to agree to, like going on my email list and understanding this is all still a beta test but there will be no cost if you qualify and agree. To start that process just email me (director@ciaops.com) saying you are keen to give it a go and I’ll send along the all the details.

There are just so many ways that I can see how to integrate AI with PowerShell and I’ll be sharing more soon on what I am doing.