Category: Microsoft 365

Need to Know podcast–Episode 350

In Episode 350 of the CIAOPS “Need to Know” podcast, along with the latest news from the Microsoft Cloud, we explore how Microsoft Power Pages is revolutionising web development for SMBs. Learn how this low-code platform enables businesses to build secure, scalable portals—without needing full-stack developers. From customer support portals to partner onboarding, discover real-world use cases, a step-by-step guide to building your first portal, and how Managed Service Providers (MSPs) can offer Power Pages as a service. This episode is a must-listen for IT professionals, MSPs, and business leaders driving digital transformation.

Brought to you by www.ciaopspatron.com

you can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-350-power-up/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

or Spotify:

https://open.spotify.com/show/7ejj00cOuw8977GnnE2lPb

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

Resources

CIAOPS Need to Know podcast – CIAOPS – Need to Know podcasts | CIAOPS

X – https://www.twitter.com/directorcia

Join my Teams shared channel – Join my Teams Shared Channel – CIAOPS

CIAOPS Merch store – CIAOPS

Become a CIAOPS Patron – CIAOPS Patron

CIAOPS Blog – CIAOPS – Information about SharePoint, Microsoft 365, Azure, Mobility and Productivity from the Computer Information Agency

CIAOPS Brief – CIA Brief – CIAOPS

CIAOPS Labs – CIAOPS Labs – The Special Activities Division of the CIAOPS

Support CIAOPS – https://ko-fi.com/ciaops

Get your M365 questions answered via email

Show Notes

Security & Compliance
AI & Copilot
Learning & Productivity
Threat Intelligence
Platform & Tools
Recognition & Industry Updates
AI Governance & Design
Media & Branding

Test Your Microsoft 365 Speed in Seconds — For Free!

bp1

Ever wondered if your Microsoft 365 experience is running as fast as it should? Whether you’re dealing with slow Outlook syncs, Teams lag, or SharePoint delays, the culprit might be your connection to Microsoft’s cloud.

That’s where my new Microsoft 365 Connection Speed Test script comes in — a free, no-fuss tool that gives you a clear picture of how well your network connects to Microsoft 365.

️ What Is It?

This PowerShell script, created CIAOPS, runs a quick diagnostic to test your connection speed to Microsoft 365 services. It checks latency, download speed, and other key metrics — all from your own machine.

Why Should You Use It?
  • Spot Bottlenecks: Identify if your network is slowing down your Microsoft 365 apps.

  • Troubleshoot Smarter: Get real data to help IT support pinpoint issues faster.

  • Work from Anywhere: Test performance from home, the office, or on the go.

  • No Guesswork: Know exactly how your connection stacks up — no tech jargon required.

Who’s It For?

Anyone using Microsoft 365! Whether you’re an IT admin, a remote worker, or just someone who wants Teams to stop freezing mid-call — this tool is for you.

How to Get It
  1. Head to the GitHub page: Microsoft 365 Speed Test Script
  2. Follow the simple instructions to run the script using PowerShell as well as reading the online documentation for the script.
  3. Review your results and take action if needed.

✅ Final Thoughts

This script is a great example of how a little tech can go a long way in improving your daily workflow. It’s free, fast, and incredibly useful — especially if you rely on Microsoft 365 to get things done.

Want help running it or interpreting the results? Just let me know — I’m here to help!

A final note – you have the option to upload the results securely to my BLOB storage in Azure at the end of the script. I’m planning to use AI to analyse these results and providing a results dashboard and potentially providing benchmarking feedback as part of the results. So, I’d love it if you would share your results back to me so I can keep improving and enhancing this for all.

Everyday Copilot example prompts for SMB

bp1

Microsoft 365 Copilot is a powerful AI assistant integrated into the Microsoft 365 apps you already use, designed to boost productivity, creativity, and efficiency. For small businesses, it can act as a virtual team member, automating routine tasks and providing intelligent assistance across various functions.

Here’s a breakdown of practical examples and a step-by-step implementation guide for a small business to leverage Copilot for increased productivity:

Practical Examples of Microsoft 365 Copilot in a Small Business

Here are concrete scenarios where a small business can use Copilot to be more productive:

1. Marketing & Content Creation:

  • Scenario: A small online retail business needs to create engaging product descriptions for new inventory and draft a marketing email campaign.

  • Copilot Use:

    • Word: “Draft 10 unique, SEO-friendly product descriptions for a new line of organic bath bombs, highlighting their natural ingredients and calming properties.” Copilot generates initial drafts, which the team can then refine.

    • Outlook: “Based on the organic bath bomb product descriptions, write a promotional email to our subscriber list, including a special launch discount and a clear call to action to visit our website.” Copilot drafts the email, saving significant time.

    • PowerPoint: “Create a presentation for an upcoming local market vendor event, showcasing our brand story and top 5 best-selling products. Include images and key benefits.” Copilot helps generate slides, suggest layouts, and even find relevant stock images.

2. Sales & Customer Management:

  • Scenario: A freelance graphic designer needs to prepare a tailored proposal for a new client and summarize a long email thread about project revisions.

  • Copilot Use:

    • Word: “Generate a comprehensive project proposal for [Client Name] for their new brand identity project. Include sections for scope of work, timeline, deliverables, and pricing, referencing our standard pricing guide.” Copilot quickly builds the proposal structure and fills in details.

    • Outlook: In a long email thread about client feedback, “Summarize the key decisions made and action items from this email conversation regarding the logo design revisions for [Client Name].” Copilot provides a concise summary, preventing missed details.

    • Teams: After a client meeting, “Summarize this Teams meeting about the website redesign, highlighting key agreements, outstanding questions, and assigned tasks to each team member.” Copilot generates meeting minutes and action items.

3. Finance & Operations:

  • Scenario: A small consulting firm needs to analyze quarterly sales data in Excel and draft a memo to employees about new expense policies.

  • Copilot Use:

    • Excel: “Analyze this sales data in Sheet1 to identify the top 3 performing services and visualize monthly revenue trends.” Copilot can suggest formulas, create charts, and even interpret the data, turning raw numbers into actionable insights.

    • Word: “Draft a clear and concise memo to all employees outlining the new expense reimbursement policy, effective next month. Emphasize the need for itemized receipts and submission deadlines.” Copilot helps draft the policy document quickly and accurately.

    • Microsoft 365 Chat: “What are the latest updates to the company’s Q2 budget in the ‘Finance Reports’ SharePoint folder?” Copilot can search across your M365 environment to retrieve and summarize relevant information.

4. Human Resources (HR) & Internal Communications:

  • Scenario: A small accounting firm needs to create an onboarding checklist for new hires and respond to common employee queries about leave policies.

  • Copilot Use:

    • Word: “Create a detailed onboarding checklist for new hires, covering IT setup, HR paperwork, team introductions, and initial training modules.” Copilot provides a structured checklist to ensure a smooth onboarding process.

    • Outlook: When an employee asks about personal leave, “Draft an email response to [Employee Name] explaining the company’s personal leave policy, referencing the relevant section in the employee handbook, and attaching the leave request form.” Copilot helps generate accurate and consistent responses.

Step-by-Step Implementation of Microsoft 365 Copilot in a Small Business

Implementing Copilot effectively involves more than just enabling licenses. It requires preparation, user adoption strategies, and ongoing monitoring.

Phase 1: Preparation and Readiness

  1. Assess Your Microsoft 365 Environment:

    • Data Governance: Copilot inherits your existing Microsoft 365 security, privacy, and compliance settings. Ensure your data is well-organized, permissions are correctly set, and sensitive information is protected (e.g., using sensitivity labels). This is crucial to prevent “oversharing” of information through Copilot.

    • Licensing: Verify you have an eligible Microsoft 365 subscription (e.g., Microsoft 365 Business Standard or Business Premium). Copilot is an add-on, so you’ll need to purchase licenses ($30 per user per month, as of my last update).

    • Network Readiness: Ensure your internet connection and Microsoft 365 services are robust enough to handle the increased AI processing.

  2. Identify Key Use Cases and Pilot Users:

    • Define Needs: Pinpoint specific pain points and areas where AI can provide the most immediate value for your business (e.g., slow report generation, repetitive email drafting, meeting summaries).

    • Select Pilot Group: Choose a small group of enthusiastic users from different departments who are heavy Microsoft 365 users and open to new technologies. These “champions” will be crucial for early feedback and encouraging wider adoption.

  3. Establish an “AI Council” (Even for a Small Business):

    • This doesn’t need to be formal or large. It could be 1-2 owners/managers and a key IT contact (internal or external).

    • Their role: Define clear goals for Copilot, oversee implementation, address challenges, and communicate the vision.

Phase 2: Deployment and Onboarding

  1. Assign Copilot Licenses:

    • Go to the Microsoft 365 admin center.

    • Navigate to Billing > Licenses.

    • Select Microsoft 365 Copilot and assign licenses to your chosen pilot users.

    • Note: It might take up to 24 hours for Copilot to appear in all apps for users. They may need to restart or refresh the apps.

  2. Provide Training and Resources:

    • Basic Prompting: Train users on how to craft effective prompts. Emphasize clarity, context, and specifying the desired outcome.

    • Role-Specific Examples: Provide examples of how Copilot can be used in their specific roles (e.g., marketers: “draft a social media post,” sales: “summarize this client email”). Microsoft provides an “SMB Success Kit” and online quick-start training (aka.ms/quickstartcopilot) that can be valuable.

    • “When to use Copilot” vs. “When not to”: Help users understand when Copilot is a valuable assistant and when human judgment or expertise is still paramount.

    • Encourage Experimentation: Foster a culture where users feel comfortable experimenting with Copilot.

  3. Establish a User Community (informal):

    • Even in a small business, create a dedicated chat channel (e.g., in Microsoft Teams) for users to share tips, ask questions, and celebrate “Copilot wins.” This peer-to-peer learning is highly effective.

Phase 3: Monitor, Refine, and Expand

  1. Gather Feedback:

    • Regularly check in with your pilot users. What’s working well? What are the challenges? What new ideas do they have?

    • Qualitative feedback (discussions, surveys) is just as important as quantitative data.

  2. Monitor Usage (Microsoft Copilot Dashboard):

    • The Microsoft Copilot Dashboard provides insights into Copilot usage, including which apps it’s used in most and active user counts. Use this to understand adoption trends and identify areas for further training or focus.

  3. Iterate and Optimize:

    • Based on feedback and usage data, refine your training materials, prompt guidelines, and use cases.

    • Address any data governance issues that arise.

  4. Gradual Rollout (or full deployment):

    • Once the pilot is successful and you’ve addressed initial challenges, gradually expand Copilot access to more users or the entire team.

    • Continue to provide ongoing support and training as new users come online.

  5. Celebrate Successes:

    • Share stories of how Copilot has helped employees save time, improve quality, or achieve business goals. This builds enthusiasm and encourages wider adoption.

By following these practical examples and a structured implementation approach, even small businesses can effectively harness the power of Microsoft 365 Copilot to significantly boost their productivity and gain a competitive edge.

CIA Brief 20250720

image

Understanding Apple enrollment methods in Microsoft Intune –

https://techcommunity.microsoft.com/blog/intunecustomersuccess/understanding-apple-enrollment-methods-in-microsoft-intune/4434586

New tools for Security Copilot management and capacity planning –

https://techcommunity.microsoft.com/blog/securitycopilotblog/new-tools-for-security-copilot-management-and-capacity-planning/4432723

Learning the new Outlook: Managing the Calendar surface –

https://www.youtube.com/watch?v=5kA72Vs8Zo0

Web vs work grounding in Microsoft 365 Copilot –

https://www.youtube.com/watch?v=y03QC8PCAfE

Protecting Cloud Storage in the Age of AI –

https://techcommunity.microsoft.com/blog/MicrosoftDefenderCloudBlog/protecting-cloud-storage-in-the-age-of-ai/4433854

Microsoft 365 Insider Round-Up: July 2025 –

https://www.linkedin.com/pulse/microsoft-365-insider-round-up-july-2025-microsoft-365-insider-epw2c/

Microsoft Purview Powering Data Security and Compliance for Security Copilot –

https://techcommunity.microsoft.com/blog/microsoft-security-blog/microsoft-purview-powering-data-security-and-compliance-for-security-copilot/4433522

Transparency on Microsoft Defender for Office 365 email security effectiveness –

https://www.microsoft.com/en-us/security/blog/2025/07/17/transparency-on-microsoft-defender-for-office-365-email-security-effectiveness/

Now Generally Available: Microsoft Security Copilot in Surface Management Portal –

https://techcommunity.microsoft.com/blog/surfaceitpro/now-generally-available-microsoft-security-copilot-in-surface-management-portal/4429558

Stay ahead of emerging threats with Microsoft Defender Experts for Hunting –

https://www.youtube.com/watch?v=iqlxXf6JeQg

Learning the new Outlook: Configuring Notifications and Reminders –

https://www.youtube.com/watch?v=ov7x5p4FQGE

Deceived, not hacked: Why keeping people safe online now starts with smarter design –

https://news.microsoft.com/source/features/ai/deceived-not-hacked-why-keeping-people-safe-online-now-starts-with-smarter-design/

Automating Microsoft Sentinel: Playbook Fundamentals –

https://techcommunity.microsoft.com/blog/microsoftsentinelblog/automating-microsoft-sentinel-playbook-fundamentals/4424475

Protecting customers from Octo Tempest attacks across multiple industries –

https://www.microsoft.com/en-us/security/blog/2025/07/16/protecting-customers-from-octo-tempest-attacks-across-multiple-industries/

Introducing Copilot Memory: A More Productive and Personalized AI for the Way You Work –

https://techcommunity.microsoft.com/blog/microsoft365copilotblog/introducing-copilot-memory-a-more-productive-and-personalized-ai-for-the-way-you/4432059

Microsoft Stream and Microsoft Clipchamp: Brand unification update for Microsoft 365 video –

https://techcommunity.microsoft.com/blog/microsoft_365blog/microsoft-stream-and-microsoft-clipchamp-brand-unification-update-for-microsoft-/4433155

Learning the new Outlook: Adding Shared mailboxes –

https://www.youtube.com/watch?v=g7Z37I1ZIKY

Secure and govern AI apps and agents with Microsoft Purview –

https://techcommunity.microsoft.com/blog/microsoft-security-blog/secure-and-govern-ai-apps-and-agents-with-microsoft-purview/4429925

Mastering Agent Governance in Microsoft 365 –

https://techcommunity.microsoft.com/blog/healthcareandlifesciencesblog/mastering-agent-governance-in-microsoft-365/4416620

Get the most out of Microsoft Forms with these little-known features –

https://techcommunity.microsoft.com/blog/microsoft365insiderblog/get-the-most-out-of-microsoft-forms-with-these-little-known-features/4432179

Microsoft Security Copilot in Intune deep dive – Part 3: Explore and act on your Intune data with AI –

https://techcommunity.microsoft.com/blog/intunecustomersuccess/microsoft-security-copilot-in-intune-deep-dive—part-3-explore-and-act-on-your-/4433019

After hours

Tech Promised Everything. Did it deliver? | Scott Hanselman – https://www.youtube.com/watch?v=dVG8W-0p6vg

Editorial

If you found this valuable, the I’d appreciate a ‘like’ or perhaps a donation at https://ko-fi.com/ciaops. This helps me know that people enjoy what I have created and provides resources to allow me to create more content. If you have any feedback or suggestions around this, I’m all ears. You can also find me via email director@ciaops.com and on X (Twitter) at https://www.twitter.com/directorcia.

If you want to be part of a dedicated Microsoft Cloud community with information and interactions daily, then consider becoming a CIAOPS Patron – www.ciaopspatron.com.

Watch out for the next CIA Brief next week

How SMBs can use AI with security

bp1

Microsoft 365 Business Premium offers a robust suite of security features, many of which are enhanced by Artificial Intelligence (AI) and machine learning. For SMBs, leveraging these AI capabilities can significantly bolster their cybersecurity posture. Here’s how:

1. AI-Powered Threat Detection and Prevention (Microsoft Defender for Business & Office 365):

  • Advanced Malware and Ransomware Protection: Microsoft Defender for Business (included in M365 Business Premium) uses AI and machine learning to analyze endpoint behavior (PCs, Macs, mobile devices) and detect suspicious activity indicative of malware, ransomware, and other advanced threats. It provides real-time threat detection and automated response capabilities to mitigate issues before they escalate [1, 2].

  • Phishing and Zero-Day Attack Protection: Microsoft Defender for Office 365 (Plan 1, also included) employs AI to identify and block sophisticated phishing attempts, including those crafted with Generative AI to appear more convincing. It uses “Safe Links” to scan URLs in emails and documents at the time of click, and “Safe Attachments” to open email attachments in a virtual environment to detect malicious content before it reaches users. This AI helps interpret email language and intent to classify threats at machine speed [1, 3].

  • Behavioral Anomaly Detection: AI models continuously learn normal user and system behavior. Any deviation from this baseline, such as unusual login patterns, large data downloads, or access from unfamiliar locations, can trigger alerts and automated responses, indicating potential account compromise or insider threats [3].

2. Identity and Access Management (Microsoft Entra ID Premium P1):

  • Risk-Based Conditional Access: AI plays a crucial role in Conditional Access policies. It analyzes factors like user location, device compliance, and detected risk levels (e.g., impossible travel, anomalous login times, leaked credentials) to determine if access to resources should be granted, denied, or require additional verification (like MFA). This proactive approach significantly reduces the risk of unauthorized access even if credentials are stolen [1, 4]. Microsoft Entra ID Protection categorizes risk into low, medium, and high confidence levels, using machine learning to inform these assessments [4].

  • Multi-Factor Authentication (MFA) Enforcement: While MFA itself isn’t AI, the AI in Entra ID (formerly Azure Active Directory) can recommend and enforce MFA based on detected risks, making it a critical layer of defense against identity attacks [1, 4].

3. Data Loss Prevention (DLP) and Information Protection (Microsoft Purview):

  • Intelligent Data Classification: AI in Microsoft Purview Information Protection can automatically identify and classify sensitive data (e.g., credit card numbers, health information, personally identifiable information) across Outlook, SharePoint, and Teams. This helps ensure that sensitive data is appropriately protected, encrypted, and prevented from leaving the organization, whether maliciously or accidentally [1, 5]. Sensitive information types and trainable classifiers leverage AI to find sensitive data in user prompts and responses when they use AI apps [5].

  • Automated Policy Enforcement: Based on the AI-driven classification, DLP policies can be automatically enforced, preventing sharing of sensitive information with unauthorized external parties or even internally if policies dictate [5]. DLP also uses machine learning algorithms to detect content that matches your DLP policies [5].

4. Device Management and Compliance (Microsoft Intune):

  • Automated Security Policy Deployment: While Intune primarily manages devices, AI can inform and automate the deployment of security policies, ensuring devices are compliant before accessing company resources. It can also help detect and flag non-compliant devices, preventing them from becoming entry points for attacks [1].

  • Remote Wipe and Data Protection: In case of lost or stolen devices, Intune allows for remote wiping of company data, which, while not directly AI-powered, is a critical security measure supported by the device management framework [1].

  • AI-powered insights for device management: Microsoft Intune leverages real-time data and AI-powered insights (e.g., in Endpoint analytics and with Copilot in Intune) to help proactively manage and secure devices, pinpoint problems, identify vulnerabilities, and deploy remediations [6].

5. AI for Security Operations (Microsoft 365 Copilot & Analytics):

  • Microsoft 365 Copilot (Add-on): While primarily a productivity tool, Copilot, when integrated with Microsoft 365 Business Premium, can contribute to security by:

    • Summarizing Security Alerts: Quickly digest and understand complex security alerts and incident reports [7].

    • Threat Intelligence Analysis: Help analyze security logs and data to identify potential threats and vulnerabilities [7].

    • Generating Security Policies/Documentation: Assist in drafting security policies, guidelines, or incident response plans [7].

    • Adhering to existing security controls: Copilot inherits existing Microsoft 365 security, privacy, identity, and compliance requirements, ensuring users only see what they have permission to access [7].

  • Security Analytics and Reporting: The underlying AI within M365’s security features continuously collects and analyzes vast amounts of security data. This allows for better insights into the organization’s security posture, identifies trends in attacks, and helps predict potential vulnerabilities, enabling SMBs to make informed security decisions [2].

How SMBs can best leverage this AI:

  • Enable and Configure: Don’t just subscribe to M365 Business Premium; actively enable and configure its security features. Many of the AI-powered capabilities need to be turned on and customized to your business’s needs.

  • Prioritize MFA and Conditional Access: These are foundational and highly effective in preventing identity-based attacks [1, 4, 7].

  • Educate Employees: Even with AI, human error is a significant vulnerability. Train employees on phishing awareness, data handling best practices, and the importance of reporting suspicious activity.

  • Regularly Review Security Reports: Pay attention to the security insights and recommendations generated by M365, as these are often powered by AI analysis.

  • Consider Professional Assistance: For complex configurations or if you lack in-house IT expertise, consider working with a Managed Service Provider (MSP) who specializes in Microsoft 365 security. They can help optimize your security posture and ensure you’re getting the most out of the AI-powered features.

  • Stay Updated: Microsoft continuously updates its security features. Keep your M365 environment updated to benefit from the latest AI enhancements.

By proactively utilizing the AI capabilities within Microsoft 365 Business Premium, SMBs can significantly enhance their defenses against evolving cyber threats, protecting their data, devices, and ultimately, their business continuity.

References:

[1] Security Features of Microsoft Business Premium | Smile IT. (n.d.). Retrieved from https://www.smileit.com.au/cybersecurity/security-features-of-microsoft-business-premium/

[2] Microsoft Defender for Business | Microsoft Security. (n.d.). Retrieved from https://www.microsoft.com/en-au/security/business/endpoint-security/microsoft-defender-business

[3] Microsoft Defender for Office 365 | Microsoft Security. (n.d.). Retrieved from https://www.microsoft.com/en-au/security/business/siem-and-xdr/microsoft-defender-office-365

[4] What are risks in Microsoft Entra ID Protection. (n.d.). Retrieved from https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks

[5] Use Microsoft Purview to manage data security & compliance for Entra-registered AI apps. (n.d.). Retrieved from https://learn.microsoft.com/en-us/purview/ai-entra-registered

[6] Microsoft Intune data-driven management | Device Query & Copilot – Mechanics Team. (n.d.). Retrieved from https://officegarageitpro.medium.com/microsoft-intune-data-driven-management-device-query-copilot-fc6b958a5e83

[7] Securing Microsoft 365 Copilot in a Small Business Environment – CIAOPS. (n.d.). Retrieved from https://blog.ciaops.com/2025/07/07/securing-microsoft-365-copilot-in-a-small-business-environment/

Unlocking Productivity: SharePoint, Teams, and OneDrive Best Practices for SMBs with M365 Business Premium

bp1

For Small and Medium Businesses (SMBs) leveraging Microsoft 365 Business Premium, the suite of tools – SharePoint, Teams, and OneDrive for Business – offers an incredible opportunity to transform collaboration and boost productivity. But simply having the tools isn’t enough; strategic configuration and a well-designed collaboration structure are key to unlocking their full potential. This blog post will guide you through the recommended best practices and provide detailed steps to configure your environment for maximum efficiency.

Understanding the Trio: SharePoint, Teams, and OneDrive

Before diving into configuration, it’s crucial to understand the distinct roles of each platform:

  • OneDrive for Business: Think of this as your personal cloud storage. It’s ideal for individual work files, drafts, and documents you’re not yet ready to share broadly. It provides seamless synchronization across devices and robust versioning.
  • SharePoint Online: This is your organization’s intranet and document management system. SharePoint sites are perfect for structured, long-term document storage, company-wide resources, policies, and departmental information. Every Microsoft Team gets an associated SharePoint Team Site.
  • Microsoft Teams: The hub for teamwork. Teams brings together chat, meetings, calls, and collaboration on files. It’s designed for dynamic, real-time collaboration within specific groups or projects, with the underlying file storage powered by SharePoint.

Designing Your Collaboration Structure: The “When to Use What” Guide

A common pitfall is using these tools interchangeably. A clear “when to use what” guideline is essential for user adoption and efficient collaboration.

  • Your Personal Work & Drafts: OneDrive for Business
  • Immediate Team/Project Collaboration: Microsoft Teams (with files stored in the connected SharePoint Team Site’s document library)
  • Company-wide Information & Structured Document Management: SharePoint Communication Sites (for intranets, HR portals) and SharePoint Team Sites (for departmental or long-term project repositories not necessarily tied to a daily Teams chat).
  • Formal/External Communication: Outlook (for email and calendaring)
  • Task Management: Microsoft Planner (for team tasks, integrated into Teams) and Microsoft To Do (for personal tasks).

Detailed Steps: Configuring Your Collaboration Environment

Phase 1: Foundation & Security (Admin-Focused)
  1. Initial Setup & Domain Verification: Ensure your Microsoft 365 tenant is fully set up, and your custom domain is verified. This is typically done during your initial M365 Business Premium subscription setup.
  2. User Management & Licensing:
    • Go to the Microsoft 365 Admin Center https://admin.microsoft.com
    • Navigate to Users > Active Users.
    • Add users and assign the appropriate Microsoft 365 Business Premium licenses. Ensure display names and usernames are consistent.
  3. Enable Multi-Factor Authentication (MFA) for ALL Users: This is non-negotiable for SMB security.

    • From the Admin Center, go to Azure Active Directory (now Microsoft Entra ID).
    • Under Security > Conditional Access or Identity > Users > Per-user MFA, enable MFA for all users. Consider setting up Conditional Access policies to enforce MFA based on location or device.
  4. Configure OneDrive for Business Default Settings:
    • In the Microsoft 365 Admin Center, go to Show all > SharePoint > Settings > OneDrive sync.
    • Ensure the OneDrive sync app is recommended and consider enabling Known Folder Move to automatically back up users’ Desktop, Documents, and Pictures folders to OneDrive.
    • Set appropriate retention policies for OneDrive files in the Microsoft Purview compliance portal.
    • Review external sharing settings for OneDrive. For SMBs, it’s often best to restrict external sharing to specific domains or require sign-in for external users.
  5. SharePoint Online Default Settings:

    • In the Microsoft 365 Admin Center, go to Show all > SharePoint > Policies > Sharing.
    • Set your default external sharing level (e.g., “Existing guests” or “New and existing guests”). Avoid “Anyone” links for sensitive data.
    • Implement retention policies for SharePoint sites and libraries in the Microsoft Purview compliance portal.
    • Consider configuring data loss prevention (DLP) policies to prevent sensitive information from being shared inappropriately.

    Microsoft Teams Default Settings:

    • Go to the Microsoft Teams Admin Center https://admin.teams.microsoft.com
    • Under Teams > Teams settings, define guest access permissions. Be clear on who can invite guests and what guests can do.
    • Establish Team and channel naming conventions (e.g., Dept-Marketing, Project-LaunchX). This helps with organization and searchability. Communicate these clearly to users.
    • Consider governance policies for Team creation (e.g., restricting who can create new Teams or requiring approval for new Teams). This prevents sprawl.
    • Review app availability. Limit or approve third-party apps based on your company’s security and productivity needs.
Phase 2: Structuring for Collaboration (User & Admin Collaboration)
  1. Identify Collaboration Needs & Groups:
    • Gather key stakeholders from different departments or projects.
    • Determine how teams currently communicate and share files.
    • Identify logical groups for collaboration (e.g., Sales Team, Marketing Team, Project X Team, Leadership).
  2. Create Microsoft 365 Groups/Teams:
    • For each identified collaboration group, create a Microsoft Team in the Teams Admin Center or directly in the Teams application.
    • When you create a Team, it automatically creates a corresponding Microsoft 365 Group (which includes a SharePoint Team Site, Exchange mailbox, Planner, etc.).
    • Best Practice: Start with a few core Teams (e.g., by department or major function) and add specific channels within them. Avoid creating a Team for every single small project initially.
  3. Organize Channels within Teams:
    • Within each Team, create Standard Channels for different topics, workstreams, or sub-projects.
    • Use the “General” channel for announcements and onboarding.
    • Private Channels should be used sparingly for sensitive discussions or files involving a subset of the Team members.
    • Shared Channels (if applicable) allow seamless collaboration with specific internal or external teams without granting full access to the parent Team. Ideal for client projects or vendor collaborations.
  4. Leverage SharePoint for Structured Content:
    • Team Sites (Connected to Teams): The “Files” tab in each Teams channel is powered by a document library in the connected SharePoint Team Site. Encourage users to store all Team-related documents here. Use folders within these libraries for further organization.
    • Communication Sites: Create dedicated SharePoint Communication Sites for company-wide news, HR resources, IT support, or marketing collateral that needs to be broadly accessible but controlled by a smaller group of content creators. Link these sites from within Teams using tabs or a central intranet portal.
  5. Integrate Apps & Tabs in Teams:
    • Pin frequently used files, SharePoint pages/lists, Planner boards, OneNote notebooks, or websites as tabs within relevant Teams channels.
    • For example, add a Planner tab to a project channel to track tasks, or a OneNote tab for meeting notes.
  6. Document Co-authoring Best Practices:
    • Encourage users to co-author documents directly in Teams or SharePoint Online instead of sending attachments via email.
    • Remind users to use the @mention feature in documents and Teams chats to notify specific colleagues.
    • Utilize version history in SharePoint and OneDrive for easy rollbacks and tracking changes.

Phase 3: Adoption & Ongoing Management (Continuous Improvement)
  1. User Training & Education: This is perhaps the most critical step.

    • Conduct internal workshops or provide clear, concise training on “when to use what” for OneDrive, SharePoint, and Teams.
    • Provide quick-reference guides, FAQs, and short video tutorials.
    • Leverage Microsoft Learn resources, which offer extensive free training materials.
    • Focus on practical scenarios: e.g., “How to share a document for team collaboration,” “How to find company policies,” “How to conduct a project meeting.”
  2. Establish “Champions” Program:
    • Identify enthusiastic users in different departments who can become internal experts and advocates.
    • They can help answer questions, promote best practices, and gather feedback.
  3. Regular Review & Optimization:
    • Periodically review your Microsoft 365 usage from the Admin Center. Identify underutilized features or areas of confusion.
    • Gather feedback from users regularly to understand their pain points and suggestions for improvement.
    • Stay updated with new Microsoft 365 features and enhancements, and communicate relevant updates to your team.
    • Conduct content audits in SharePoint to ensure information remains relevant and accurate.
  4. Data Governance & Compliance:
    • Regularly review and enforce retention and deletion policies to manage data lifecycle and compliance.
    • Monitor audit logs in the Microsoft Purview compliance portal for suspicious activities or data breaches.

Conclusion

Microsoft 365 Business Premium offers a powerful toolkit for SMBs to foster a highly productive and secure collaboration environment. By thoughtfully designing your collaboration structure and diligently applying these best practices for SharePoint, Teams, and OneDrive for Business, you can empower your employees, streamline workflows, and ultimately drive greater success for your business. Remember, it’s an ongoing journey of refinement and user engagement, so keep learning and adapting!

New Defender for Office 365 Dashboard

A screenshot of the new Defender for Office 365 overview dashboard.

The new customer overview dashboard allows security teams to track efficacy across cyberthreats blocked pre-delivery, threats mitigated post-delivery, and even “missed” threats. It includes details on how Microsoft Defender for Office 365 capabilities like Safe link, Safe attachments, and Zero-hour Auto Purge contribute to threat protection across an organization. Our goal is simple: to help you confidently answer the question “How are my organization’s users being protected from malicious content and cyberattacks when using email and other collaboration surfaces like Microsoft Teams?”

Transparency on Microsoft Defender for Office 365 email security effectiveness

View it now – https://security.microsoft.com | Email & Collaboration | Overview

Using Multiple Authenticator Apps with One Microsoft 365 Account: Guide for MSPs

bp1

For Managed Service Providers (MSPs) with multiple employees managing numerous customer Microsoft 365 tenants, efficiently and securely handling multi-factor authentication (MFA) is crucial. While a single Microsoft 365 user account typically links to one primary authenticator, there are legitimate scenarios and best practices for MSPs to leverage multiple authenticator apps for a single user, enhancing both security and operational flexibility.

Why Multiple Authenticator Apps for an MSP User?

While the general recommendation for individual users is to have a single, primary authenticator app for an account, MSPs often encounter unique needs:

  • Redundancy and Backup: In case a primary device is lost, stolen, or damaged, a secondary authenticator on another device ensures access isn’t lost, preventing costly downtime.
  • Shared Administrative Accounts (with caution): While not ideal, some MSP workflows might necessitate a shared administrative account for specific, highly controlled scenarios (e.g., break-glass accounts). In such cases, multiple technicians might need access to the MFA codes, making multiple authenticators a practical, albeit carefully managed, solution.
  • Employee Transition: When an employee leaves, transferring MFA access to a new team member can be streamlined if a secondary authenticator is already configured on a shared, secure device (e.g., a dedicated company phone for administrative access).
  • Location/Device Flexibility: Technicians working from different locations or using various company-issued devices might benefit from having the authenticator configured on each frequently used device.

Best Practice Approaches for MSPs

The core principle for MSPs managing MFA is to prioritize security while maintaining operational efficiency. Here’s a breakdown of best practices:

1. Leverage Conditional Access Policies (Azure AD Premium P1 or P2)

Conditional Access is the gold standard for managing MFA in Microsoft 365, especially for MSPs. It offers granular control over when and how MFA is enforced, allowing for much more sophisticated policies than basic security defaults.

  • Granular Control: Define policies based on user groups, location (trusted IPs, risky locations), device state (compliant, hybrid Azure AD joined), application being accessed, and sign-in risk.
  • MFA for Administrative Roles: Always enforce MFA for all administrative roles (Global Administrator, User Administrator, Helpdesk Administrator, etc.) across all customer tenants.
  • Location-Based MFA: Require MFA for sign-ins from outside your MSP’s trusted network locations.
  • Risky Sign-ins: Automatically require MFA or block access for sign-ins detected as risky by Microsoft Entra ID Protection.
  • Device Compliance: Require MFA for access from non-compliant devices.
  • Prioritize Microsoft Authenticator: Encourage or enforce the use of the Microsoft Authenticator app for push notifications or number matching. This is generally more secure and user-friendly than SMS or voice calls.
  • Phased Rollout: When implementing or modifying MFA, conduct a phased rollout. Start with your internal IT staff, then move to pilot groups, and finally to all users.
2. Designate Specific Authenticators for Specific Purposes

Avoid a free-for-all with authenticators. Be strategic:

  • Primary Authenticator (User’s Personal Device): The Microsoft Authenticator app on the technician’s primary work smartphone should be their main MFA method. This offers convenience and strong security (push notifications, biometrics).
  • Secondary Authenticator (Company-Provided Device or FIDO2 Key): For backup or shared administrative accounts (used rarely and with extreme caution), a secondary authenticator on a company-issued device (tablet, spare phone) or a hardware security key (FIDO2) is preferable. FIDO2 keys offer the strongest phishing resistance.
  • Avoid SMS/Voice as Primary MFA: While useful for recovery, SMS and voice MFA are susceptible to SIM-swapping and other attacks. Limit their use as primary authentication methods, especially for administrative accounts.
3. Implement Break-Glass Accounts

Maintain a small number of highly secured “break-glass” or emergency access accounts. These accounts are exempt from normal Conditional Access policies and are only used in extreme emergencies (e.g., a global MFA outage, or if all administrators are locked out). These accounts should:

  • Be cloud-only (not synchronized from on-premises AD).
  • Have strong, complex passwords stored securely and offline.
  • Be monitored for any sign-in activity.
  • Have their credentials rotated regularly.
  • Ideally, use hardware FIDO2 keys for MFA.
4. Regular Auditing and Monitoring
  • MFA Registration Reports: Regularly review who has registered for MFA and what methods they’ve configured.
  • Sign-in Logs: Monitor sign-in logs for unusual activity, failed MFA attempts, or sign-ins from untrusted locations. Microsoft 365 Lighthouse (for CSP partners) and Azure AD reports can provide consolidated views across tenants.
  • Access Reviews: Periodically review administrative roles and MFA configurations for all users, especially for those with elevated privileges.
5. Training and Documentation
  • User Education: Train your MSP employees on the importance of MFA, how to use their authenticator apps correctly, and how to report suspicious MFA prompts.
  • Internal Procedures: Document your internal policies for MFA, including how to set up new authenticators, handle lost devices, and manage break-glass accounts.

Step-by-Step Configuration: Adding Multiple Authenticator Apps to a Single User

This process generally involves the user adding additional authentication methods through their security info settings. An administrator initiates MFA enforcement, and the user then registers their chosen methods.

Prerequisites:
  • A Microsoft 365 user account.
  • Global Administrator or Authentication Administrator role (for initial setup/management).
  • Microsoft Authenticator app installed on the primary device.
  • Secondary device (another smartphone/tablet) for the second authenticator app.
  • (Optional) FIDO2 Security Key.
  • Azure AD Premium P1/P2 license for Conditional Access (highly recommended for MSPs).
Step 1: Enable MFA (if not already enabled)

For MSPs, using Conditional Access policies is the recommended way to enable and enforce MFA. Security Defaults are a simpler option but offer less flexibility.

Method A: Using Conditional Access Policies (Recommended for MSPs)
  1. Sign in to the https://entra.microsoft.com/ Microsoft Entra admin center (formerly Azure Active Directory admin center) as a Global Administrator.
  2. Navigate to Protection > Conditional Access.
  3. Click + New policy.
  4. Name the policy: e.g., “MFA for All Users” or “MFA for Admins”.
  5. Under Assignments > Users or workload identities, select the relevant scope (e.g., All users, or specific administrative roles/groups). For MSPs, definitely target administrative roles.
  6. Under Cloud apps or actions, select All cloud apps (or specific sensitive apps).
  7. Under Conditions (optional, but highly recommended for MSPs):

    • Locations: Exclude trusted locations (e.g., your MSP office IP ranges) to reduce MFA prompts when users are on-site, but require MFA when outside.
    • Device state: Consider requiring MFA for non-compliant devices.
    • Sign-in risk: Set to require MFA for medium or high sign-in risk.
  8. Under Grant:

    • Select Grant access.
    • Check Require multi-factor authentication.
  9. Set Enable policy to On.
  10. Click Create.
Method B: Using Security Defaults (Simpler, less flexible – good for quick enforcement)

If you don’t have Azure AD Premium licenses, Security Defaults provide a baseline level of MFA enforcement.

  1. Sign in to the https://entra.microsoft.com/ Microsoft Entra admin center as at least a Security Administrator.
  2. Browse to Identity > Overview > Properties.
  3. Select Manage security defaults.
  4. Set Security defaults to Enabled.
  5. Select Save.

Note: If you previously had “per-user MFA” enabled, you must disable it before using Conditional Access or Security Defaults. You can do this from the Microsoft 365 admin center > Users > Active users > Multi-factor authentication link, and set user status to disabled.

Step 2: User Registers Their First Authenticator App (Primary)

The first time a user signs in after MFA is enabled, they will be prompted to set it up.

  1. The user navigates to https://myaccount.microsoft.com/.
  2. They sign in with their username and password.
  3. They will see a message: “Your organization needs more information to keep your account secure.” Click Next.
  4. On the “Keep your account secure” page, they will be prompted to set up the Microsoft Authenticator app (recommended).

    • Choose Mobile app from the dropdown.
    • Select Receive notifications for verification (for push notifications) or Use verification code (for TOTP codes). Push notifications are preferred for ease of use and security. Click Set up.
    • A QR code will appear on the screen.
  5. On their primary smartphone:

    • Open the Microsoft Authenticator app.
    • Tap the + sign (top right on iOS, top left on Android) and choose Work or school account.
    • Select Scan a QR code and scan the code displayed on the computer screen.
    • The account will be added to the app.
  6. On the computer, click Next. Microsoft will send a test notification to the app.
  7. On the smartphone, approve the notification (or enter the number matching code if enabled).
  8. Once verified, click Next on the computer.
  9. They may be prompted to set up an alternative verification method (e.g., phone number) as a backup. It’s recommended to do this.
  10. Click Done.
Step 3: User Registers a Second Authenticator App (or another method)

Once the primary authenticator is set up, the user can add additional methods via their security info page.

  1. The user navigates to https://myaccount.microsoft.com/ and signs in (they will be prompted for MFA using their primary method).
  2. On the left-hand navigation, click Security info.
  3. Click + Add method.
  4. From the dropdown, choose the desired method:

    • Authenticator app: To add the Microsoft Authenticator app to a second device or another TOTP authenticator (e.g., Google Authenticator, Authy).
    • Phone: To add a secondary phone number for SMS or voice calls (less secure, use with caution for admin accounts).
    • Security key: To add a FIDO2 hardware security key (highly recommended for strong phishing resistance).
  5. For a second Authenticator App:
    1. Select Authenticator app and click Add.
    2. Follow the on-screen prompts. It will present a new QR code.
    3. On the second device, open the chosen authenticator app (e.g., Microsoft Authenticator, Google Authenticator).
    4. Add a new account (Work or school account for Microsoft Authenticator, or generic TOTP for others) and scan the QR code.
    5. Complete the verification steps.
  6. For a Security Key (FIDO2):
    1. Select Security key and click Add.
    2. Follow the instructions. This will involve plugging in the FIDO2 key and touching it when prompted.
    3. Give the key a memorable name.
  7. Once successfully added, the new authentication method will appear in the “Security info” list. The user can also set a default sign-in method from this page.
Important Considerations for MSPs:
  • Dedicated Admin Accounts: For managing customer tenants, use dedicated administrative accounts for each technician rather than a single shared account, where possible. This improves auditability and accountability. When shared accounts are necessary (e.g., for legacy systems or break-glass scenarios), ensure they are tightly controlled and monitored.
  • Microsoft 365 Lighthouse: For CSP partners, Microsoft 365 Lighthouse offers a centralized portal to manage multiple customer tenants, including MFA configuration and monitoring. This can significantly streamline MSP operations.
  • Azure Lighthouse: For Azure services, Azure Lighthouse enables MSPs to manage resources across customer subscriptions from their own tenant, reducing the need for direct access to customer tenants and simplifying MFA management.
  • Privileged Identity Management (PIM): For high-privileged roles, implement PIM to provide just-in-time and just-enough access. This requires administrators to activate their elevated roles, and each activation can require MFA, even if their standard user account doesn’t.
  • Regular Reviews: Conduct quarterly or bi-annual reviews of all administrative access, including MFA configurations, for all customer tenants.

By following these best practices and understanding the configuration steps, MSPs can effectively manage multiple authenticator apps for their users, enhancing security posture across all their managed Microsoft 365 customer environments.