The Conversation I Keep Having About Copilot

Last week a manager asked me how to write the perfect prompt. She had a sticky note on her monitor with about thirty bracketed placeholders and a warning to always start with role, then context, then task. I asked her how often she actually used it. She laughed and said almost never — it felt like homework before the real work could start.

That moment captured something I’ve been thinking about for a while. The industry has spent two years training people to be better prompters, when the real productivity gains sit one layer up. With Copilot Cowork, the unit of leverage isn’t the prompt — it’s the skill.

Prompts Are Disposable. Skills Compound.

A prompt is a single instruction. You type it, you get something back, and then it’s gone. Tomorrow morning you start again. Even a brilliantly worded prompt only helps the person who wrote it, on the day they wrote it, for the task in front of them.

A Copilot Cowork skill is different. It’s a packaged way of working — a brief, a checklist, a structure, a tone — that anyone in your organisation can invoke by name. Once it exists, it doesn’t degrade. It doesn’t get lost in someone’s chat history. It runs the same way on a Tuesday morning as it does on a Friday afternoon, and it carries the thinking of whoever built it forward into every future use.

That is leverage. Prompt engineering is a craft. Skills are an asset.

Where the Productivity Actually Lives

The real productivity question in any business isn’t how do I get a better answer from Copilot today — it’s how do we stop solving the same problem from scratch every time. Skills are the answer to that question.

Think about what happens in a typical week. Someone needs to write a board update. Someone else has to brief a meeting. A third person is drafting a proposal that looks suspiciously like the last three proposals. In a prompt-engineering world, each of those people opens Copilot in Word or Outlook and tries to remember the magic incantation. In a skills world, they invoke a Board Update skill or a Meeting Brief skill and Copilot already knows the structure, the voice, the sources to pull from in SharePoint, and the people in Teams who usually need looping in.

The hours saved aren’t in the typing. They’re in not having to think the problem through again, hunt for the right template, or remember which version of the prompt actually worked last time.

The Shift Business Leaders Need to Make

If you’re leading a team, the question worth asking isn’t are my people good at prompts? It’s what work do we do over and over that should be a skill by now? The recurring report. The standard reply. The new-client onboarding sequence. The monthly review pack assembled from Excel, Outlook and a SharePoint folder no one can quite remember the path to.

Each of those is a skill waiting to exist. And the moment it does, the productivity gain isn’t a one-off — it accrues every time anyone in the business uses it.

What I’m Watching

I think the businesses that win the next stretch with Copilot won’t be the ones with the cleverest prompters. They’ll be the ones who treat their best ways of working as something to package, name, and share. Prompt engineering helps one person, once. A well-built skill helps the whole organisation, every time. That’s where the productivity actually shows up.

Need to Know podcast–Episode 366

Join me as I unpack the most impactful Microsoft Build 2026 announcements for SMBs, including Work IQ’s general availability, new autopilot and Scout agent features, enhanced agent security with Microsoft Execution Containers, and the latest MAI models for code, image, and voice. Discover how upcoming Work IQ APIs, OpenClaw integration with Windows, and the shift toward hybrid AI solutions are shaping the future of business technology, with practical insights on cost control, disaster recovery, and agentic security. Don’t miss this episode for actionable takeaways and expert analysis on the evolving AI landscape.

Brought to you by www.ciaopspatron.com

you can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-366-build-2026/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

or Spotify:

https://open.spotify.com/show/7ejj00cOuw8977GnnE2lPb

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show

Resources

CIAOPS Need to Know podcast – CIAOPS – Need to Know podcasts | CIAOPS

X – https://www.twitter.com/directorcia

director@ciaops.com

CIAOPS Blog

Join my Teams Shared Channel – CIAOPS

CIAOPS Merch store – CIAOPS

Become a CIAOPS Patron

CIAOPS AI Dojo

CIAOPS weekly news update – CIA Brief – CIAOPS

CIAOPS Labs – The Special Activities Division of the CIAOPS

Support CIAOPS

Get your M365 questions answered via email

Join my email list

A special thanks to the CIAOPS Patron community for making this podcast possible. You can find the benefits of a subscription to the community and become a member at https://www.ciaopspatron.com

Microsoft Build 2026 blog – Be yourself at work

Developer-Tech – AI agents, Copilot, Windows developer tools

VentureBeat – AI agents and enterprise use cases

Thurrott – Scout personal work agent and AI models

VentureBeat – Data silos and Microsoft IQ

Windows Report – Securing code agents and AI models

Engadget – Build 2026 live blog

Microsoft Learn – Work IQ in Azure Foundry

Firstpost – MXC, OpenClaw, and OpenShell

Copilot in PowerPoint

Most people type “make me a presentation about cyber security” into Copilot, watch it spit out ten generic slides, and decide the whole thing is a gimmick.

I don’t blame them. That output is rubbish.

But that’s not Copilot failing. That’s Copilot doing exactly what you asked — building from nothing, with no source, no structure, no brand.

Garbage in, garbage slides out.

Here’s the shift. Copilot in PowerPoint isn’t a “write my deck” button. It’s a converter. You already have the content — a Word doc, a PDF proposal, last quarter’s report. The job isn’t inventing slides. It’s turning what you’ve already written into something you can stand up and present.

What is Copilot in PowerPoint, really?

Think of it as the worst part of your week, automated.

You know the drill. The thinking is done. The report is written. The client signed off on the wording. Now you’ve got two hours of copy-pasting into slides, fighting text boxes, and nudging the logo a pixel to the left.

Copilot eats that two hours.

You point it at a file. It reads the structure, pulls the key points, and drafts slides — text, layout, the lot. You’re not staring at a blank slide anymore. You’re editing a first draft.

That’s the whole game. Not creativity. Removal of drudgery.

Step-by-Step: building a deck that doesn’t look generic

Open your template first

This is the step everyone skips, and it’s the one that matters most.

Before you touch Copilot, open your organisation’s PowerPoint template — your branded .potx, your client’s deck, whatever carries the right fonts and colours. Microsoft is explicit about this: start from your template and Copilot keeps the theme and reuses your existing layouts.

Skip it, and you get Microsoft’s house style. Every. Single. Time.

Reference your file, don’t describe it

Open the Copilot pane, then reference a file — click the paperclip, or just type / and pick the document. Word, PDF, Excel, a Loop page. Now Copilot reads the actual content instead of guessing at it.

Write a prompt that points, not pleads

Don’t ask for a slide “about the project”. Tell it exactly where to look:

Create slides from the attached proposal.
Use the "Scope" and "Pricing" sections only.
One slide per phase. Key points, not full sentences.

Notice what’s missing? Any mention of colours, fonts, or design. You don’t ask Copilot for those — your template already decided them. Ask once, point clearly, and let the template do the rest.

Review, then refine in place

Copilot drafts. You read. Then you tell it what’s wrong — “tighten slide three”, “drop the jargon”, “add a summary slide” — in plain English, right there in the pane. No re-prompting from scratch.

A couple of traps before you sell this to clients

Two things will bite you.

First, dense slides. Copilot tends to lift whole paragraphs straight off the page. If your source doc reads like a report, your slides will too. Fix it in the prompt — “bullet points, not sentences” — or trim after.

Second, the file has to be readable. Text-based PDFs work. Scanned images and password-protected files don’t. And keep source files under 24MB, or the results get flaky.

Old thinking: “I’ll block out the afternoon to build the deck.” New thinking: “I’ll point Copilot at the doc and spend the afternoon making it good.”

That’s not a small change. That’s where your hours go back.

Why this actually changes behaviour

Here’s the real win for anyone running this in a business.

Your team already produces the content. Proposals, reports, meeting notes — the substance exists. What kills them is the packaging. The deck that has to look right for the board, the client, the pitch.

Copilot collapses the gap between “we’ve written it” and “we can present it”. The expensive part — the thinking — stays human. The tedious part disappears.

And be straight about the cost. The file-referencing piece sits behind the paid Microsoft 365 Copilot add-on, not the base subscription. For a lot of SMB clients, this is the use case that justifies the licence. Not chatbots. This.

Show a client how an afternoon of slide-building becomes ten minutes, and the conversation about value is over.

If you’re running Microsoft 365 for clients and you’re not showing them this, you’re leaving real money — theirs and yours — on the table.

Copilot in PowerPoint isn’t there to make your slides.

It’s there to delete the part of the job nobody ever wanted.

Defender Vulnerability Management

Most people treat Defender Vulnerability Management like a weather report. They glance at the exposure score, nod, and close the tab.

That’s a waste.

The score isn’t the point. The workflow behind it is. And the part almost nobody uses — the bit that actually moves the needle — is the security baselines assessment sitting right next to it.

Here’s the thing. Patching tells you whether software is current. A baseline tells you whether it’s configured the way it’s supposed to be. Those are two completely different questions, and the second one is where most SMB environments quietly fall apart.

What are security baselines, really?

A baseline is a benchmark of configuration settings — things like password policy, BitLocker, account lockout, audit logging — measured against an industry profile.

In Defender, you assess your devices against the CIS or STIG benchmarks, pick a level (L1 is sensible-default, L2 is locked-down), and the tool tells you, device by device, setting by setting, where you comply and where you don’t.

Not “you’re missing 14 patches.” More like “BitLocker isn’t enforced on 9 machines and your audit policy is wide open.” That’s the stuff attackers love and scanners ignore.

The security baselines assessment documentation walks through the profile options if you want the full menu.

Step-by-Step: Build a baseline profile

You’ll need Defender for Endpoint Plan 2 with the MDVM add-on, or the MDVM Standalone licence. Then head to the Microsoft Defender portal → Exposure management → Baselines assessment.

Create the profile

Give it a name, choose your benchmark (CIS or STIG), choose your OS, choose your level. Start at L1. You can tighten later — leading with L2 just buries you in red.

Scope it to a device group

Don’t boil the ocean. Point it at one group — a handful of servers, or the managed laptops — and let it run.

Read the results by setting, not by score

Open the profile and sort by compliance. Each failing setting lists exactly which devices miss it. This is your work queue.

Now the part that earns its keep: exceptions

Here’s the reality every MSP knows. Some findings you can’t fix. The line-of-business app needs that legacy setting. The client won’t approve the downtime. The vendor says “don’t touch it.”

So what do most people do? Nothing. The finding sits there, red, forever — and after a while everyone stops looking because the dashboard is always angry.

That’s the trap. A permanently-red dashboard is the same as no dashboard.

The fix is the exception workflow. When you genuinely can’t remediate something, you file an exception — with a justification and an expiry date — and that finding drops out of your active exposure number. It doesn’t vanish. It’s parked, documented, and time-boxed.

Request the remediation first

For anything you can fix, connect Defender to Intune (it’s a toggle in the portal) and raise a remediation request straight from the recommendation. It lands in Intune as a tracked task instead of a Post-it note. The remediation request process covers the Intune connection.

File an exception for the rest

For the genuine “we can’t touch that,” create an exception with a real reason and a review date. The exceptions overview explains the justification types and how exceptions affect your exposure score.

“Doesn’t an exception just hide the problem?”

No. Hiding is when you ignore the red and hope. An exception is a decision — recorded, owned, and due for review. The difference is accountability.

Why this actually changes behaviour

Once you’re running baselines plus a disciplined exception workflow, “we can’t patch that one” stops being a silent gap. It becomes a documented, time-boxed choice with someone’s name on it.

That’s not a security feature. That’s a governance habit.

And it’s the exact thing that turns a vague “yeah, we’re secure” into a report you can hand a client.

If you’re not showing your clients their baseline posture and the exceptions you’ve signed off on, you’re leaving value — and trust — on the table.

The exposure score was never the deliverable. The conversation it lets you have is.

CIAOPS AI Dojo 13

What’s the session about?

This month we will be focusing on new Copilot features and updates as well as optimising AI for Small Business.

Who should attend?

This session is perfect for:

IT administrators and support staff
Business owners
People looking to get more done with Microsoft 365
Anyone looking to automate their daily grind

Save the Date

Date: Friday the 26th of June 2026

Time: 9:30 AM Sydney AU time

Location: Online (link will be provided upon registration)

Cost: $80 per attendee (free for Dojo subscribers)

Normal Is a Group Decision

I sat in a room recently with a group of MSP owners and listened to a conversation about pricing. Every person at the table was earning a decent living. Every person at the table was also quietly miserable about how hard they were working for it. Nobody was a bad operator. Nobody was lazy. They had simply, over years, settled into a shared idea of what “normal” looked like — and that idea was the ceiling.

That moment stuck with me, because I think most of us underestimate how much the people around us shape what we believe is possible.

Limited isn’t the same as bad

When something feels stuck — your business, your income, your role, your energy — the easy story is that someone is doing you wrong. A bad client. A bad supplier. A bad staff member. In my experience that’s rarely the real problem. The real problem is quieter. You’re surrounded by perfectly decent people who have made peace with a smaller version of the game than you secretly want to play.

Limited people aren’t villains. They’re warm, helpful, often very good at what they do. They just don’t think bigger than what they already have, and over time that becomes the air you breathe. You stop pitching certain projects. You stop charging certain prices. You stop applying for certain rooms. Not because anyone told you not to — because nobody around you is doing it either. The same thing happens with the clients you accept and the staff you hire. Like attracts like, and the average keeps quietly resetting itself downwards.

Audit the room

The room is bigger than you think. It’s the peer group you call when something goes sideways. It’s the chat you scroll while the kettle boils. It’s the three or four voices you hear most often inside your head when you’re making a decision. If those voices have all settled, you will too.

This is where I find Microsoft 365 quietly useful, in a way that has nothing to do with productivity. I use Copilot in Outlook to clear the noise faster, so the time I free up actually goes into conversations with sharper people — not back into more email. I use Copilot Chat to pressure-test my own thinking before I send a proposal: “argue against this”, “what would a more ambitious version look like”, “what am I leaving on the table”. It doesn’t replace good humans. It does stop me defaulting to the average opinion in my own head.

I also pay closer attention to which Teams communities and channels I actually show up in. If every conversation I’m part of is about doing the same thing slightly better, I’ve answered my own question about why my ceiling hasn’t moved. I keep a running Loop page of articles, podcasts and operators who think a level above where I am now, and I make myself read it before I make a decision I might otherwise rush.

Move the ceiling on purpose

You don’t have to fire your friends. You do have to be honest about what each room teaches you. Add one peer group that’s a level above where you are now. Subscribe to one voice who genuinely makes you uncomfortable in a useful way. Spend one hour a week somewhere your current “normal” would feel small.

The ceiling is invisible until you sit somewhere with a higher one. Then you wonder how you ever called the old one a roof.

CIAOPS Need to Know Microsoft 365 Webinar – June

laptop-eyes-technology-computer_thumb

Now in our tenth year!

Join me for the free monthly CIAOPS Need to Know webinar. Along with all the Microsoft Cloud news we’ll be taking a look at SharePoint Skills.

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite.

You can register for the regular monthly webinar here:

June Registrations

(If you are having issues with the above link copy and paste – https://bit.ly/n2k2606 )

The details are:

CIAOPS Need to Know Webinar – June 2026
Friday 26th of June 2026
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Youtube channel.

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Three Power Automate flows every MSP should productise

Every MSP I talk to has the same Power Automate problem.

Not a tech problem. A consistency problem.

Client A has a leave-request flow built by some intern in 2022. Client B has an onboarding flow that emails three people, one of whom left last year. Client C runs approvals through someone’s personal Outlook because it was “quicker that way”.

That’s not automation. That’s tribal knowledge held together by hope.

The fix isn’t more flows. The fix is three flows, built once, exported, and dropped into every client tenant you touch.

What is a Power Automate solution, really?

A flow on its own is a personal toy. It lives in someone’s default environment, it’s owned by one person, and the day they leave the tenant the flow dies with them.

A solution is that same flow, packaged with connection references and environment variables, exported as a file, and imported into any other tenant. Same flow. Different SharePoint site, different approvers, different mailbox — wired up at import time, not hardcoded.

That’s the move. Stop building per-client. Start building once and deploying everywhere.

If you’re charging your clients for automation as a service, this is what productisation actually looks like.

The three worth standardising

There are hundreds of templates in the Power Automate gallery. Most MSPs don’t need hundreds. They need three:

Approvals — anything that needs a yes/no with an audit trail
Joiner (onboarding) — new staff member, day one
Leaver (offboarding) — staff member out, access gone, evidence kept

Build those three properly as a managed solution and you’ve covered eighty percent of the automation requests you’ll get from an SMB client this year.

Step-by-Step: stand up the Approvals flow first

Open Power Automate inside a dedicated solution

Sign in to Power Automate, pick Solutions on the left, and create a new one. Give it a publisher name like YourMSP_Automation. Don’t skip this. Flows created outside a solution can’t be exported cleanly later.

Pick the right approval type

Open the Start and wait for an approval action and look at the dropdown. There are four real options — Approve/Reject – Everyone must approve, Approve/Reject – First to respond, Custom Responses – Wait for all responses, Custom Responses – Wait for one response — plus sequential. Most SMB approvals are First to respond. Document sign-offs are usually Everyone must approve. Pick deliberately. The full approvals reference is on Microsoft Learn.

Use environment variables for the approvers, not hardcoded emails

This is the bit MSPs skip and then regret. Don’t type finance@clientco.com into the Assigned To box. Create an environment variable called ApproverEmail, reference it in the action, and set the value at import time.

Here’s what the assignment looks like in the action:

@{parameters('ApproverEmail (yourmsp_approveremail)')}

Notice what’s missing? A client name. That’s the point. Same flow, twelve tenants, twelve different approver emails — none of them baked into the export.

Export it as a managed solution

Solutions > your solution > Export > Managed. You ship managed solutions to client tenants and keep the unmanaged copy in your build tenant. Microsoft’s import guide walks through what the receiving tenant sees — connection references prompt for new accounts, environment variables prompt for values, and your flow turns itself on when it lands.

Joiner and Leaver follow the same shape

For Joiner the trigger is usually a new Microsoft Lists item or a Forms submission. The flow creates the Entra user, assigns licences, drops them into groups, posts a welcome card to a Teams channel, and sends the manager an approval to confirm everything looks right before the password lands in the helpdesk mailbox.

For Leaver the trigger is the same list, different status. The flow disables sign-in, revokes sessions, converts the mailbox to shared, transfers OneDrive ownership to the manager, and writes a row to a SharePoint list that becomes your audit trail when the cyber insurance auditor asks “what was your offboarding process on the 14th of March?”.

Both flows reuse the same three environment variables — HelpdeskMailbox, ManagerApprovalGroup, OffboardingEvidenceList. Build once. Import twelve times. Done.

One more thing: lock the connectors down before you ship

Before you push any of this into a client tenant, set a Data Loss Prevention policy in the Power Platform admin centre. Put Office 365, Approvals, SharePoint, and Teams connectors in the Business group. Put Twitter, Dropbox, Gmail, and the rest in Non-Business or Blocked. Microsoft’s DLP guidance spells out why this matters: without it, any maker in the tenant can build a flow that pipes mailbox data into a personal Dropbox.

Before: “Can you build us a leave-request flow?”

After: “We’ll deploy our standard approvals solution to your tenant on Friday.”

That’s the shift. From bespoke build to productised deployment. From “this might take a few days” to “this is a forty-minute import”.

Why this actually changes behaviour

If you’re an MSP and you’ve built the same flow three times for three clients, you’re not running an MSP. You’re running a freelance bench with a logo.

The three-flow library — approvals, joiner, leaver — is the smallest automation product that pays back. It compresses delivery time. It standardises what “good” looks like across every client you touch. And when a client says “we’d like our offboarding to leave evidence for our cyber insurer”, you don’t quote a project. You import a solution.

Here’s the real win. Once these three are running cleanly, the conversation with the client changes. They stop asking if you can automate something. They start asking what else you’ve already got in the library.

That’s where the margin is.

Build the flow once. Sell the deployment every time.