How to configure Microsoft 365 for maximum native data recovery

image

Understanding Native Recovery vs. Backup

It’s crucial to understand that Microsoft 365’s native features focus on data retention, versioning, and recovery from accidental deletion or modification, primarily for compliance, legal holds, and user errors. They are not a traditional point-in-time backup solution that protects against all scenarios (like widespread ransomware encryption beyond versioning limits, catastrophic service failures, or malicious admin actions wiping configurations). Microsoft operates on a Shared Responsibility Model.

Key Concepts for Maximizing Native Recovery Time

  1. Retention Policies (Microsoft Purview): This is the MOST IMPORTANT tool for maximizing recovery time. Retention policies ensure data is kept for a specified period, regardless of user actions (like deletion). Data subject to a retention policy is typically moved to a hidden, preserved location when deleted by a user.

  2. Litigation Hold / In-Place Hold: Similar to retention policies but often used for specific legal cases. They preserve all mailbox or site content indefinitely or until the hold is removed. Holds generally override deletion policies.

  3. Versioning: Automatically saves previous versions of files in SharePoint Online and OneDrive for Business, allowing users to restore older copies.

  4. Recycle Bins: A two-stage system for deleted items/files, providing a buffer before permanent deletion.

  5. Recoverable Items Folder (Exchange Online): A special folder in user mailboxes that stores deleted items, items purged from Deleted Items, and modified versions of items (if Single Item Recovery is enabled).

Configuration Steps for Maximum Recovery Time (Service by Service)

1. Exchange Online (Email, Calendar, Contacts, Tasks)

  • Configure Retention Policies (Microsoft Purview Compliance Portal):
    • Goal: Keep email data for the longest possible duration required by your organization (e.g., 7 years, 10 years, or even indefinitely for specific regulatory needs).

    • How:
      • Go to the Microsoft Purview compliance portal (compliance.microsoft.com).

      • Navigate to Data lifecycle management > Microsoft 365 > Retention policies.

      • Create a new policy.

      • Name & Description: Give it a clear name (e.g., “Exchange – Max Retention”).

      • Locations: Select Exchange mailboxes. Choose specific mailboxes or apply to all.

      • Retention Settings:
        • Choose Retain items for a specific period.

        • Select Forever or the maximum duration required (e.g., 10 years).

        • Set Retain items based on: Choose When items were created or When items were last modified based on your needs.

        • At end of retention period: Choose Do nothing (if you only want retention) or Delete items automatically (if you need cleanup after the retention period). For maximum recovery potential during the period, “Do nothing” is simpler, relying on deletion actions triggering preservation.
      • Review and create the policy. Allow time for it to apply (can take up to 24 hours, sometimes longer for large organizations).
  • Configure Recoverable Items Folder Quota & Retention:
    • The default retention for items in the Recoverable Items folder (when not under hold/retention policy) is 14 days, extendable to 30 days via PowerShell.

    • However, if a mailbox is subject to a Retention Policy (set to Retain) or Litigation Hold, items are kept in the Recoverable Items folder (specifically the Purges or DiscoveryHolds subfolders) effectively indefinitely or for the duration of the policy/hold, regardless of the 14/30 day setting. The main limit becomes the storage quota.

    • Increase Quota (If Necessary): The default quota is 30 GB, with an auto-expanding archive providing an additional 100 GB (up to 1.5 TB for certain licenses). For very high-volume mailboxes under indefinite hold, you might monitor this, but it’s usually sufficient. Use PowerShell Set-Mailbox <mailbox_identity> -RecoverableItemsQuota <value> -RecoverableItemsWarningQuota <value> if needed, though holds often trigger the auto-expansion.
  • Enable Litigation Hold (Alternative/Supplement to Retention Policies):
    • Can be enabled per mailbox via the Exchange Admin Center or PowerShell (Set-Mailbox <mailbox_identity> -LitigationHoldEnabled $true -LitigationHoldDuration <days> or leave duration off for indefinite).

    • Often used for specific users/cases but achieves similar preservation to a “Retain Forever” policy.
  • Deleted Mailbox Retention: By default, deleted mailboxes are kept for 30 days (soft-deleted) and can be recovered during this period. This is generally fixed.

2. SharePoint Online (Team Sites, Communication Sites, Document Libraries)

  • Configure Retention Policies (Microsoft Purview Compliance Portal):
    • Goal: Retain documents and site content long-term.

    • How:
      • Similar to Exchange, create a Retention Policy in Purview.

      • Locations: Select SharePoint classic and communication sites. Choose specific sites or apply to all.

      • Retention Settings: Choose Retain items for a specific period (e.g., Forever, 10 years) based on Created date or Last modified date. Choose Do nothing or Delete at the end of the period.

      • Preservation Hold Library: When a retention policy is active, deleted or modified content is preserved in this hidden library within the site collection, consuming storage quota.
  • Configure Versioning:
    • Goal: Allow restoration of previous file versions.

    • How:
      • Go to the Document Library settings > Versioning settings.

      • Ensure Create major versions is enabled.

      • Set Keep the following number of major versions: Increase this significantly. The technical maximum is 50,000, but a high number like 500 or 1000 is usually practical and provides substantial recovery capability. Consider storage implications.

      • You can also enable minor versions if needed, but major versions are key for rollback.
  • Recycle Bin Settings:
    • The total retention time for the user Recycle Bin + Second-Stage Recycle Bin (Site Collection Recycle Bin) is 93 days. This is generally not configurable per site. Items automatically move from the first to the second stage after 30 days (unless emptied sooner) and are purged after the total 93 days. Retention Policies/Holds override this purging for covered content.

3. OneDrive for Business (User Personal Files)

  • Configuration is very similar to SharePoint Online:
    • Retention Policies (Purview): Create policies targeting OneDrive accounts. Apply to specific users or all users. Set long retention periods.

    • Versioning: Enabled by default, typically storing 500 versions. You can verify/adjust this in the user’s OneDrive Settings > Return to Classic OneDrive > Library Settings > Versioning Settings (though accessing this directly might change). The key is that high versioning is usually on by default.

    • Recycle Bin: Same 93-day, two-stage process as SharePoint, generally not configurable.

    • Files Restore: A key OneDrive (and SharePoint Library) feature allowing users/admins to restore the entire OneDrive/Library to a point in time within the last 30 days. This is excellent for mass deletion/corruption/ransomware recovery within that window. It relies on version history.

    • Deleted User OneDrive Retention: When a user account is deleted, their OneDrive content is retained for a default of 30 days (configurable up to 3650 days / 10 years via SharePoint Admin Center > Settings > OneDrive Retention). Access can be delegated to a manager during this time. After this period, the OneDrive enters a deletion process unless under a hold/retention policy. Configure this setting to your maximum desired timeframe.

4. Microsoft Teams (Chats, Channel Messages, Files)

  • Data Storage: Understand where Teams data lives:

    • 1:1 and Group Chats: Stored in hidden folders within the participants’ Exchange Online mailboxes.

    • Standard Channel Messages: Stored in a hidden folder within the Microsoft 365 Group mailbox associated with the Team.

    • Private/Shared Channel Messages: Stored in dedicated mailboxes associated with those channels (or user mailboxes for shared channels).

    • Files (Standard Channels): Stored in the associated SharePoint Team site’s Document Library (in a folder named after the channel).

    • Files (1:1/Group Chats): Stored in the OneDrive for Business account of the user sharing the file.

    • Files (Private/Shared Channels): Stored in dedicated SharePoint sites associated with those channels.
  • Configure Retention Policies (Purview):
    • You MUST configure retention policies specifically for Teams data, in addition to Exchange/SharePoint policies.

    • Create a policy targeting:

      • Teams channel messages: Covers standard/private/shared channel conversations.

      • Teams chats: Covers 1:1 and group chats (including Teams meeting chats).
    • Set your desired long retention period (e.g., Forever, 10 years).

    • Important: Ensure your Exchange and SharePoint/OneDrive retention policies also cover the underlying storage locations for comprehensive protection.

Native Recovery Methods (Without Third-Party Tools)

Exchange Online:

  1. Deleted Items Folder: User recovers recently deleted items (Outlook/OWA).

  2. Recover Deleted Items: User recovers items purged from Deleted Items or hard-deleted (Shift+Del), accessing the Recoverable Items Folder (Outlook/OWA). Limited by the 14/30 day window unless under hold/retention.

  3. Restore Deleted Mailbox: Admin recovers a soft-deleted mailbox within 30 days (Admin Center/PowerShell).

  4. eDiscovery Search (Purview): Admins (with permissions) search for and export mailbox content preserved by Retention Policies or Litigation Holds, even if deleted by the user years ago. This is the primary method for long-term recovery under retention.

  5. Recover Mailbox Items (PowerShell): Admins can use Search-Mailbox (older) or New-ComplianceSearch + New-ComplianceSearchAction -Purge -PurgeType SoftDelete/HardDelete (newer, more complex) to find and potentially recover specific items, often from the Recoverable Items folder. New-MailboxRestoreRequest can restore content from a soft-deleted or inactive mailbox to another mailbox.

SharePoint Online / OneDrive for Business:

  1. Recycle Bin (First Stage): User restores their own deleted files/items from the site/OneDrive Recycle Bin.

  2. Second-Stage Recycle Bin: Site Collection Admin restores items deleted from the first-stage Recycle Bin. (Total 93-day window combined).

  3. Restore Previous Version: User/Admin restores a file to an earlier state using the version history (available via File > Version History in Office apps, or the context menu in SharePoint/OneDrive web).

  4. Files Restore (OneDrive & SharePoint Libraries): User (OneDrive) or Site Admin (SharePoint Library) restores the entire OneDrive or Document Library content to a previous point in time within the last 30 days. Excellent for mass deletions/changes. Access via Settings gear > Restore your OneDrive / Restore this library.

  5. Restore Deleted Site: Admin restores a deleted SharePoint site collection within 93 days (SharePoint Admin Center > Deleted sites).

  6. eDiscovery Search (Purview): Admins search for and export documents/items preserved by Retention Policies or Holds from SharePoint sites/OneDrive accounts, even if deleted from Recycle Bins. Primary method for long-term recovery under retention.

  7. Preservation Hold Library Access (Advanced/Admin): While not a typical user recovery method, admins can sometimes access this hidden library (usually via URL manipulation or eDiscovery) to find preserved versions if standard methods fail, though eDiscovery is preferred.

  8. Restore Deleted OneDrive: Admin restores a soft-deleted OneDrive (within the configured retention period) or delegates access (Admin Center).

Microsoft Teams:

  1. Undo Delete (Chats/Messages): Users have a very short window (seconds/minutes) to undo deleting their own message.

  2. File Recovery: Use the SharePoint/OneDrive methods above (Recycle Bins, Versioning, Files Restore) in the corresponding file storage location.

  3. eDiscovery Search (Purview): Admins search for and export Teams messages/chats preserved by Retention Policies. This is the primary method for recovering deleted conversations beyond the user’s ability.

Summary & Key Takeaways

  • Retention Policies are Paramount: Configure comprehensive retention policies in Microsoft Purview targeting Exchange, SharePoint, OneDrive, and Teams locations. Set retention durations to meet your maximum recovery time objective (e.g., 7 years, 10 years, Forever).

  • Leverage Versioning: Ensure SharePoint/OneDrive versioning is enabled with a high number of versions (e.g., 500+).

  • Understand Recycle Bins: Know the 93-day limit and the two stages.

  • Utilize Files Restore/Site Restore: This is powerful for recent (within 30 days) mass recovery scenarios.

  • Configure Deleted User Data Retention: Set appropriate retention for deleted OneDrive accounts and understand the 30-day mailbox retention.

  • Master eDiscovery: This Purview tool is essential for finding and recovering data preserved long-term by holds and retention policies.

  • Limitations: Remember native tools aren’t full backups. They don’t easily restore entire service configurations, protect against all ransomware scenarios perfectly, or offer granular point-in-time restores for all data types easily outside the specific features mentioned (like Files Restore).

By carefully configuring these native features, particularly retention policies and versioning, you can significantly extend the window for data recovery within Microsoft 365 without relying on third-party backup solutions. Always test your recovery procedures.

Creating an Automated Agent to Post Historical Computer Events in Teams Daily

Video link = https://www.youtube.com/watch?v=KZkhK41lynI

In this video, I walk you through the process of creating an automated agent that posts daily historical computer events in a Teams channel. Starting from copilotstudio.microsoft.com, I show you how to set up the agent, configure triggers, and manage connections. Learn how to troubleshoot common issues and ensure your agent runs smoothly. Join me as I share tips and insights to help you leverage AI for regular updates in your business. Don’t miss out on this practical guide to enhancing your team’s productivity with automation!

Best ways to monitor and audit permissions across a SharePoint environment in Microsoft 365

image

What are the best ways to monitor and audit permissions across a SharePoint environment in Microsoft 365. There isn’t one single “magic button,” but rather a combination of tools and practices that form the most effective approach.

The “best” way depends on your specific needs (scale, complexity, budget, compliance requirements), but generally involves a multi-layered strategy:

1. Leveraging Built-in Microsoft 365 Tools:

  • Microsoft Purview Compliance Portal (Audit Log):

    • What it does: Records actions related to permissions and sharing. This includes granting access, changing permissions, creating sharing links, accepting/revoking sharing invitations, adding/removing users from groups, etc.

    • Pros: Centralized logging across M365 services (not just SharePoint). Captures who did what, when. Essential for forensic auditing and tracking changes over time. Can set up alerts for specific activities.

    • Cons: Reports events, not the current state of permissions easily. Can generate a large volume of data, requiring effective filtering and analysis. Default retention might be limited (90 days for E3, 1 year for E5/add-ons, up to 10 years with specific licenses). Doesn’t give you a simple snapshot of “who has access to Site X right now“.

    • Best for: Auditing changes to permissions, investigating specific incidents, monitoring for policy violations (e.g., excessive external sharing).

  • SharePoint Site Permissions & Advanced Permissions:

    • What it does: The standard SharePoint interface (Site Settings > Site Permissions and Advanced permission settings) allows site owners and administrators to view current permissions on a specific site, list, or library. The “Check Permissions” feature is useful for specific users/groups.

    • Pros: Direct view of current permissions for a specific location. No extra tools needed. Good for spot checks by site owners or admins.

    • Cons: Entirely manual, site-by-site. Not feasible for auditing across the entire tenant. Doesn’t scale. Doesn’t show how permissions were granted (direct vs. group) easily in aggregate. Doesn’t provide historical data.

  • Site Usage Reports (Sharing Links):

    • What it does: Found under Site Settings > Site Usage, this includes reports on externally shared files and sharing links (Anyone, Specific People).

    • Pros: Quick overview of sharing activity for a specific site, particularly external sharing links.

    • Cons: Limited scope (focuses on sharing links, not inherited or direct permissions). Site-by-site basis.

  • PowerShell (SharePoint Online Management Shell / PnP PowerShell):

    • What it does: Allows administrators to scriptmatically query and report on permissions across multiple sites, lists, libraries, and even items (though item-level reporting can be slow). PnP PowerShell is often preferred for its richer feature set.

    • Pros: Highly flexible and powerful. Can automate the generation of comprehensive current state permission reports across the tenant. Can export data to CSV for analysis. Can identify broken inheritance, unique permissions, group memberships, etc. Free (part of M365).

    • Cons: Requires scripting knowledge. Can be slow to run across very large environments, especially if checking item-level permissions. Scripts need to be developed and maintained. Requires appropriate administrative privileges.

    • Best for: Periodic, deep audits of the current permission state across the environment. Generating custom reports. Automating permission inventory.

  • Azure AD Access Reviews (Requires Azure AD Premium P2):

    • What it does: Automates the review process where group owners or designated reviewers must attest to whether users still need access via Microsoft 365 Groups or Security Groups that grant access to SharePoint sites (often via the Owners, Members, Visitors groups).

    • Pros: Proactive governance. Engages business users/owners in the review process. Reduces permission creep over time. Creates an audit trail of reviews.

    • Cons: Requires Azure AD P2 license. Primarily focuses on group memberships, not direct permissions or SharePoint groups (though M365 groups are the modern standard). Requires setup and configuration.

    • Best for: Implementing regular, automated reviews of group-based access to ensure continued need.

2. Third-Party Tools:

  • What they do: Numerous vendors offer specialized SharePoint/Microsoft 365 administration, governance, and auditing tools (e.g., ShareGate, AvePoint, Quest, SysKit, CoreView, etc.).

  • Pros: Often provide user-friendly dashboards and pre-built reports for permissions auditing. Can simplify complex reporting tasks compared to PowerShell. May offer advanced features like alerting, automated remediation workflows, comparison reporting (permissions changes over time), and broader M365 governance capabilities. Can often combine state reporting and change auditing.

  • Cons: Cost (licensing fees). Can have their own learning curve. Reliance on a vendor for updates and support. Need to grant the tool potentially high privileges.

  • Best for: Organizations needing comprehensive, user-friendly reporting and management without extensive PowerShell expertise, or those requiring advanced features and workflows not available natively. Often essential for large, complex environments or those with stringent compliance needs.

Recommended Strategy (The “Best Way”):

For most organizations, the most effective approach is a combination:

  1. Configure & Monitor the Purview Audit Log: Ensure auditing is enabled and understand how to search/filter logs. Set up alerts for critical permission changes or sharing events (e.g., creation of “Anyone” links if disallowed, granting owner permissions). This covers ongoing change monitoring.

  2. Perform Regular Audits using PowerShell or a Third-Party Tool: Schedule periodic (e.g., quarterly, semi-annually) comprehensive audits to capture the current state of permissions across all relevant sites. Focus on:

    • Sites with broken inheritance.

    • Direct user permissions (should be minimized).

    • Membership of Owners groups.

    • External sharing status.

    • Usage of SharePoint Groups vs M365/Security Groups.
  3. Implement Azure AD Access Reviews (if licensed): Use this for regular recertification of access granted via M365 and Security groups, especially for sensitive sites.

  4. Establish Clear Governance Policies: Define who can share, what can be shared externally, how permissions should be managed (use groups!), and the responsibilities of Site Owners.

  5. Train Site Owners: Ensure they understand the principle of least privilege and how to manage permissions correctly within their sites using M365 groups primarily.

  6. Use Built-in UI for Spot Checks: Empower admins and site owners to use the standard SharePoint UI for quick checks on individual sites as needed.

By combining proactive monitoring (Purview), periodic deep audits (PowerShell/Third-Party), automated reviews (Access Reviews), and clear governance, you create a robust system for managing and auditing SharePoint permissions effectively.

CIA Brief 20250426

image

Copilot+ PCs are the most performant Windows PCs ever built, now with more AI features that empower you every day –

https://blogs.windows.com/windowsexperience/2025/04/25/copilot-pcs-are-the-most-performant-windows-pcs-ever-built-now-with-more-ai-features-that-empower-you-every-day/

Explore practical best practices to secure your data with Microsoft Purview –

https://www.microsoft.com/en-us/security/blog/2025/04/25/explore-practical-best-practices-to-secure-your-data-with-microsoft-purview/

Introducing ActorInfoString: A New Era of Audit Log Accuracy in Exchange Online –

https://techcommunity.microsoft.com/blog/microsoft-security-blog/introducing-actorinfostring-a-new-era-of-audit-log-accuracy-in-exchange-online/4408093

Microsoft Purview eDiscovery is getting a unified, streamlined experience starting May 26, 2025! –

https://techcommunity.microsoft.com/blog/azurepurviewblog/microsoft-purview-ediscovery-is-getting-a-unified-streamlined-experience-startin/4407225

Advanced deployment guide for Conditional Access Policy templates –

https://techcommunity.microsoft.com/blog/microsoft-entra-blog/advanced-deployment-guide-for-conditional-access-policy-templates/4406767

2025: The Year the Frontier Firm Is Born –

https://www.microsoft.com/en-us/worklab/work-trend-index/2025-the-year-the-frontier-firm-is-born

Expanding reference capabilities with Microsoft 365 Copilot in Word –

https://techcommunity.microsoft.com/blog/microsoft365insiderblog/expanding-reference-capabilities-with-microsoft-365-copilot-in-word/4406054

Announcing Agentic Automation with Bidirectional Integration between Microsoft Copilot Studio & UiPath –

https://www.microsoft.com/en-us/microsoft-copilot/blog/copilot-studio/announcing-agentic-automation-with-bidirectional-integration-between-microsoft-copilot-studio-uipath/

More insights from Microsoft 365 Copilot’s document summary –

https://techcommunity.microsoft.com/blog/Microsoft365InsiderBlog/more-insights-from-microsoft-365-copilot%E2%80%99s-document-summary/4405814

Service principal required for Microsoft Entra ID –

https://techcommunity.microsoft.com/blog/microsoft-entra-blog/service-principal-required-for-microsoft-entra-id/4405796

Researcher agent in Microsoft 365 Copilot –

https://techcommunity.microsoft.com/blog/microsoft365copilotblog/researcher-agent-in-microsoft-365-copilot/4397186

Microsoft 365 Copilot: Built for the era of human–agent collaboration –

https://www.microsoft.com/en-us/microsoft-365/blog/2025/04/23/microsoft-365-copilot-built-for-the-era-of-human-agent-collaboration/

The 2025 Annual Work Trend Index: The Frontier Firm is born –

https://blogs.microsoft.com/blog/2025/04/23/the-2025-annual-work-trend-index-the-frontier-firm-is-born/

Microsoft Purview protections for Copilot –

https://techcommunity.microsoft.com/blog/microsoftmechanicsblog/microsoft-purview-protections-for-copilot/4406384

Getting started with the new Purview Content Search –

https://techcommunity.microsoft.com/blog/microsoft-security-blog/getting-started-with-the-new-purview-content-search/4405757

End of support for Windows 10, Windows 8.1, and Windows 7 –

https://www.microsoft.com/en-us/windows/end-of-support?r=1

RSAC 2025 new Microsoft Sentinel connectors announcement –

https://techcommunity.microsoft.com/blog/microsoftsentinelblog/rsac-2025-new-microsoft-sentinel-connectors-announcement/4404177

Microsoft AutoUpdate: Security Improvements to ManifestServer –

https://techcommunity.microsoft.com/blog/microsoft365insiderblog/microsoft-autoupdate-security-improvements-to-manifestserver/4405454

Summarize your emails with Microsoft 365 Copilot –

https://www.youtube.com/watch?v=HOefmtSc7jQ

Securing our future: April 2025 progress report on Microsoft’s Secure Future Initiative –

https://www.microsoft.com/en-us/security/blog/2025/04/21/securing-our-future-april-2025-progress-report-on-microsofts-secure-future-initiative/

Microsoft Security Copilot in Intune deep dive – Part 1: Features available in public preview –

https://techcommunity.microsoft.com/blog/intunecustomersuccess/microsoft-security-copilot-in-intune-deep-dive-%E2%80%93-part-1-features-available-in-pu/4406244

Microsoft Security Copilot | Copilot with Endpoint Privilege Management (EPM) and Microsoft Intune –

https://www.youtube.com/watch?v=KcrTRahDYMQ

Microsoft Security Copilot | Copilot assistance for Troubleshooting with Microsoft –

https://www.youtube.com/watch?v=xHXRgappHoA

Write Better Prompts with Copilot –

https://www.youtube.com/watch?v=zOSPcmnS2VU

Microsoft and LinkedIn release the 2024 Work Trend Index on the state of AI at work –

https://blogs.microsoft.com/blog/2024/05/08/microsoft-and-linkedin-release-the-2024-work-trend-index-on-the-state-of-ai-at-work/

After hours

The World Needs AI, But There’s a Problem – https://www.youtube.com/watch?v=SpMIs6AnUW8

Editorial

If you found this valuable, the I’d appreciate a ‘like’ or perhaps a donation at https://ko-fi.com/ciaops. This helps me know that people enjoy what I have created and provides resources to allow me to create more content. If you have any feedback or suggestions around this, I’m all ears. You can also find me via email director@ciaops.com and on X (Twitter) at https://www.twitter.com/directorcia.

If you want to be part of a dedicated Microsoft Cloud community with information and interactions daily, then consider becoming a CIAOPS Patron – www.ciaopspatron.com.

Watch out for the next CIA Brief next week

Copilot agent stuck on Waiting for user

Screenshot 2025-04-26 083251

I’ve been working on an autonomous action in Copilot Studio and found that it seems ot get stuck on”Waiting for user” as shown above.

Screenshot 2025-04-26 083410

When I open that activity, again you’ll see that it says “Waiting on user”

Screenshot 2025-04-26 083508

If I go to the top right and select Transcript from the menu as shown above.

Screenshot 2025-04-26 082748

I see these two buttons, as shown above. Problem is, neither of them actually do anything! this appears to be a bug.

The solution is to put your browser into developer mode. Search the element for the text:

copilotstudio.microsoft.com/c2

This the start of the URL that the button should use. Copy that elment and paste it into Notepad.

Screenshot 2025-04-26 084058

Remove everything but teh URL like so:

Screenshot 2025-04-26 084153

Copy that URL and paste it into a new browser tab in the same session and you should now see the following page:

Screenshot 2025-04-26 084517

You will probably see that it isn’t connected as shown above. if so, click the Connect button to reconnect the service.

Screenshot 2025-04-26 084309

When it properly connected it should appear as shown above and now your Copilot Studio action should work and no longer be paused at Waiting for user going forward.

A huge shout out to Shervin Shaffie from Microsoft whose YouTube video provide the solution for me. The video is here:

https://youtu.be/4s7Qa_cYZyQ?si=4-TSkrr-T6_CNqdD&t=1320

at timestamp 22:00 where he walks through fixing the problem as I have outlined in this blog post.

Hopefully, Microsoft is now aware of this issue and will resolve it soon.

What is the ideal structure for collaboration services in Microsoft 365

image

There isn’t a single “one-size-fits-all” perfect structure, as the ideal setup depends heavily on your organization’s size, culture, industry, compliance needs, and specific work patterns. However, a widely recommended and effective approach revolves around using **Microsoft Teams as the central hub for collaboration**, leveraging other services in specific, defined roles.

Here’s a breakdown of the ideal structure and the role of key services:

Core Principle: Teams as the Primary Collaboration Interface (“Hub”)

Think of Microsoft Teams as the user’s primary window into collaboration for specific groups, projects, or departments. It brings together chat, meetings, files, and apps into one place.

1. Microsoft Teams:

  • Purpose: Day-to-day teamwork, project collaboration, communication within defined groups.

  • Structure:
    • Teams: Create Teams based on organizational structure (departments), major cross-functional projects, or long-term initiatives. Avoid creating too many Teams initially.

    • Channels (Standard): Use channels within a Team to organize conversations and files by specific topics, workstreams, or sub-projects. The “General” channel is for announcements and onboarding.

    • Channels (Private): Use sparingly for focused collaboration within a subset of the Team members when privacy is needed for conversations and files.

    • Channels (Shared): Use for collaborating securely with specific internal or external people/teams without giving them access to the entire parent Team. Ideal for specific vendor collaborations or joint projects with partners.

    • Tabs: Pin frequently used files, SharePoint pages/lists, Planner boards, websites, and other apps as tabs within relevant channels for easy access.
  • Usage: Chat, channel conversations (persistent discussions), scheduled and ad-hoc meetings, screen sharing, integrating apps (like Planner, Forms, Power BI).

2. SharePoint Online:

  • Purpose: The underlying content management service for Teams, intranets, document repositories, and business process automation.

  • Structure:
    • Team Sites (Group-Connected): Every Microsoft Team automatically gets a SharePoint Team Site. This site’s default document library powers the “Files” tab in all standard channels within that Team. Use this site for storing team-specific documents, creating related lists, pages, and news.

    • Communication Sites: Used for broader communication – company intranets, HR portals, department landing pages. Designed for a smaller number of creators and a large audience. Not directly tied to a single Team’s collaboration flow but can be linked to from Teams.

    • Hub Sites: Connect related Team Sites and Communication Sites to provide unified navigation, search, and branding. Essential for building a cohesive intranet and information architecture.
  • Usage: Storing and managing all files shared within a Team’s standard channels, building intranet portals, creating sophisticated document libraries with metadata and views, managing lists, powering Power Automate workflows, long-term knowledge management.

Key Relationship: Teams & SharePoint Files shared or created in a standard Teams channel live in the corresponding SharePoint Team Site’s document library. Teams provides the contextual interface, while SharePoint provides the robust file management backend (versioning, metadata, permissions, compliance features).

3. OneDrive for Business:

  • Purpose: Personal work file storage, draft documents, ad-hoc sharing with individuals.

  • Structure: User’s individual cloud storage space. Users organize with folders.

  • Usage: Storing individual work files (“My Documents” in the cloud), drafting documents before they are ready for team collaboration, sharing files with one or a few specific individuals (internal or external) on a limited basis, syncing files for offline access.

  • Avoid: Using OneDrive as the primary storage location for official team or project files. Once a file is ready for collaboration or becomes an official team resource, move/copy it to the relevant Teams/SharePoint library.

4. Outlook / Exchange Online:

  • Purpose: Formal communication, external communication, calendaring, personal task management (integrating with To Do).

  • Structure: Individual mailboxes, shared mailboxes (for roles like info@, support@), M365 Group mailboxes (for receiving group emails).

  • Usage: Sending formal announcements, communicating with external parties, scheduling meetings (which are often Teams meetings), managing personal calendars and tasks. Less ideal for iterative, real-time team discussions (use Teams chat/channels instead).

5. Planner / To Do:

  • Purpose: Task management.

  • Structure:
    • Planner: Create Plans and add them as tabs within Teams channels for tracking team tasks related to that channel’s topic or project.

    • To Do: Aggregates tasks assigned to you in Planner, flagged emails from Outlook, and tasks you create manually for personal task management.
  • Usage: Assigning, tracking, and organizing team tasks (Planner); managing individual workload and priorities (To Do).

6. Yammer (Viva Engage):

  • Purpose: Broader, organization-wide communication, communities of practice, social engagement, leadership connection.

  • Structure: Communities based on interests, topics, large departments, or social groups.

  • Usage: Open discussions, Q&A forums, sharing knowledge across organizational silos, company-wide announcements, building culture. Generally not for focused, task-oriented project collaboration (use Teams for that).

Essential Supporting Elements for an Ideal Structure:

  1. Governance: Clear policies on Team/Site creation, naming conventions, external sharing, guest access, lifecycle management (archiving/deletion).

  2. Information Architecture: Planning how sites connect (Hub Sites), use of metadata for findability, navigation strategy.

  3. Security & Compliance: Utilizing M365 Groups for permissions, configuring sensitivity labels, retention policies, Data Loss Prevention (DLP).

  4. User Training & Adoption: Crucial for success. Users need guidance on “when to use what” and best practices. Change management is key.

In Summary – The “When to Use What” Guideline:

  • Inner Loop (Your immediate team, project): Use Teams for chat, meetings, channel conversations, and accessing team files/apps. Files live in the connected SharePoint site. Use Planner within Teams for team tasks.

  • Your Personal Work: Use OneDrive for drafts and personal storage. Use To Do and Outlook Calendar for personal organization. Use Outlook for formal/external email.

  • Outer Loop (Broader organization, communities): Use Yammer (Viva Engage) for broad discussions and communities. Use SharePoint Communication Sites (often via an Intranet) for official news and resources. Use Outlook for org-wide formal email announcements.

Implementing this structure requires planning, clear governance, and consistent user education, but it leads to a more organized, efficient, and secure collaboration environment in Microsoft 365.

Use AI to provide better spam protection and detection with exchange online

image

Let’s break down how AI enhances spam and phishing protection within Microsoft Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO), along with configuration examples.

How AI Powers Spam/Phishing Protection in Exchange Online

Instead of just relying on static rules (like blocking specific keywords or known bad IPs), AI (specifically Machine Learning models) introduces several powerful capabilities:

  1. Advanced Pattern Recognition: AI models analyze vast amounts of global email data (billions of messages daily) from Microsoft’s network. They identify subtle and evolving patterns associated with spam, phishing, malware, and impersonation attempts that rule-based systems would miss. This includes:

    • Linguistic Analysis: Understanding the nuances of language, tone, urgency cues, grammatical errors common in phishing, and topic shifts often used to bypass simple filters.

    • Structural Analysis: Examining message headers, sending infrastructure reputation, URL structures, attachment types, and email formatting anomalies.

    • Behavioural Analysis: Learning normal communication patterns for your organization and flagging deviations (e.g., a sudden email from the “CEO” asking for gift cards, which is out of character).

  2. Adaptive Learning: Spammers constantly change tactics. AI models continuously learn and adapt to these new threats in near real-time, significantly reducing the window of vulnerability compared to waiting for manual rule updates. When new spam campaigns emerge, the models retrain based on newly classified samples.

  3. Contextual Understanding: AI helps differentiate between legitimate and malicious use of similar content. For example, an “invoice” email from a known supplier vs. a generic “invoice” from an unknown sender with a suspicious link. AI considers sender reputation, recipient history, link destinations, etc.

  4. Impersonation Detection (MDO): This is heavily AI-driven.

    • User Impersonation: Mailbox Intelligence learns the frequent contacts and communication style of protected users (e.g., executives). It flags emails claiming to be from that user but originating externally or exhibiting unusual patterns.

    • Domain Impersonation: AI detects attempts to use domains that look very similar to your own (e.g., yourc0mpany.com instead of yourcompany.com) or legitimate external domains (e.g., spoofing a well-known supplier).

  5. Enhanced Heuristics & Reputation: AI refines the calculation of Spam Confidence Levels (SCL) and Bulk Complaint Levels (BCL) by incorporating more complex signals than just IP/domain blocklists. It considers the “neighborhood” of sending IPs, historical sending behavior, and feedback loops (user submissions, junk reports).

  6. Zero-Hour Auto Purge (ZAP): Even if a malicious email initially bypasses filters and lands in an inbox, AI continues analyzing signals. If the message is later identified as spam or phishing (often through updated AI models or user reports), ZAP can automatically pull it from user mailboxes.

Specific Configuration Examples (Using the Microsoft 365 Defender Portal)

Most AI capabilities are inherently part of the features. You don’t toggle “AI On/Off,” but you configure the policies that leverage AI.

Prerequisites:

  • Access to the Microsoft 365 Defender portal (https://security.microsoft.com).

  • Appropriate permissions (e.g., Security Administrator, Global Administrator).

  • Note: Some advanced features (like Impersonation, Safe Links, Safe Attachments) require Microsoft Defender for Office 365 Plan 1 or Plan 2 licenses, beyond the basic EOP included with Exchange Online.

Example 1: Tuning Anti-Spam Inbound Policy (Leverages AI for SCL)

AI determines the SCL score based on numerous factors. You configure the actions based on those AI-determined scores.

  1. Navigate to Email & collaboration > Policies & rules > Threat policies > Anti-spam.

  2. Select the Anti-spam inbound policy (Default) or click Create policy > Inbound for a custom policy.

  3. In the policy settings, locate the Bulk email threshold & spam properties section and click Edit actions.

  4. Spam Confidence Level (SCL) Actions:
    • Spam: Action: Move message to Junk Email folder (Recommended Default). SCL levels typically 5, 6.

    • High confidence spam: Action: Quarantine message (Recommended). SCL levels typically 7, 8, 9. You could choose Redirect message to email address, Delete message, or Move message to Junk Email folder. Quarantine is generally safest.

    • AI Impact: The determination of which message gets an SCL of 5 vs. 7 vs. 9 is heavily AI-driven based on content, sender, structure, etc.
  5. Bulk Complaint Level (BCL) Threshold: Set a threshold (e.g., 6 or 7). Messages exceeding this BCL (often unwanted marketing mail) will take the specified action (e.g., Move message to Junk Email folder). AI helps differentiate bulk from true spam.

  6. Zero-hour auto purge (ZAP): Ensure “Enable for spam messages” and “Enable for phishing messages” are turned On. This allows AI to retroactively remove messages.

  7. Save the changes.

Example 2: Configuring Anti-Phishing Policy (Leverages AI for Impersonation & Spoofing)

Requires MDO licenses for advanced features.

  1. Navigate to Email & collaboration > Policies & rules > Threat policies > Anti-phishing.

  2. Click Create to make a new policy (recommended) or edit the Default policy.

  3. Phishing threshold & protection:
    • Enable spoof intelligence: Ensure this is On. AI helps identify and classify spoofing attempts (legitimate vs. malicious). You can review/override its findings later under “Spoof intelligence insight”.

    • Impersonation Protection (Key AI Area):
      • Click Edit next to Users to protect. Click Manage sender(s) and add email addresses of key personnel (CEO, CFO, HR Managers, up to 350). AI (Mailbox Intelligence) learns their communication patterns.

      • Click Edit next to Domains to protect. Add your own company domains and consider adding custom domains that are visually similar or frequently targeted. AI flags emails spoofing these domains or using lookalike domains.
      • Enable Mailbox Intelligence: Ensure this is On. This activates the AI learning for the protected users’ contact graphs and communication patterns.

      • Enable intelligence for impersonation protection: Ensure this is On. Uses AI to improve detection based on learned senders/patterns.
    • Actions: Configure actions for detected impersonation (User/Domain) and spoofing. Recommended actions often include Quarantine the message or Redirect message to administrator address and displaying safety tips.
  4. Advanced phishing thresholds: Set the level (e.g., 2: Aggressive, 3: More aggressive, 4: Most aggressive). Higher levels use more sensitive AI/ML models but might increase false positives. Start with 1: Standard or 2: Aggressive and monitor.

  5. Assign the policy to specific users, groups, or the entire domain.

  6. Save the policy.

Example 3: Enabling Safe Links & Safe Attachments (Leverages AI for Analysis)

Requires MDO licenses. These features use sandboxing (detonation) and URL reputation checks, heavily augmented by AI analysis.

  1. Safe Attachments:

    • Navigate to Email & collaboration > Policies & rules > Threat policies > Safe Attachments.

    • Click Create or edit an existing policy.

    • Choose an action like Block (blocks email with detected malware) or Dynamic Delivery (delivers email body immediately, attaches placeholder until attachment scan completes – often preferred for user experience).

    • Enable Redirect messages with detected attachments and specify an admin mailbox for review if desired.

    • Apply the policy to users/groups/domains.

    • AI Impact: AI models perform static analysis before detonation and analyze the behavior of the file during detonation in the sandbox to identify novel/zero-day malware.

  2. Safe Links:

    • Navigate to Email & collaboration > Policies & rules > Threat policies > Safe Links.

    • Click Create or edit an existing policy.

    • Ensure On: Safe Links checks a list of known, malicious links when users click links in email is selected under URL & click protection settings.

    • Enable Apply Safe Links to email messages.

    • Enable Apply real-time URL scanning for suspicious links and links that point to files. (This uses AI and other heuristics).

    • Configure Wait for URL scanning to complete before delivering the message (more secure, slight delay) or leave it off (less secure, no delay).

    • Choose actions for malicious URLs within Microsoft Teams and Office 365 Apps if applicable.

    • Configure Do not rewrite the following URLs for any trusted internal/external sites that break due to rewriting (use sparingly).

    • Apply the policy to users/groups/domains.

    • AI Impact: AI powers the reputation lookups and real-time scanning analysis of URLs, identifying phishing sites, malware hosts, and command-and-control servers even if they aren’t on a static blocklist yet.

Key Takeaways:

  • AI is Integrated: You configure features like Anti-Spam, Anti-Phishing, Safe Links/Attachments, and AI works behind the scenes within those features.

  • MDO is Crucial: The most advanced AI-driven protections (impersonation, advanced phishing detection, Safe Links/Attachments) require Microsoft Defender for Office 365 licenses.

  • Configuration is Tuning: You adjust thresholds (SCL, BCL), enable specific protections (Impersonation), and define actions (Quarantine, Junk, Delete).

  • Monitor & Adapt: Regularly review quarantine, user submissions (use the Report Message Add-in!), and threat reports in the Defender portal to fine-tune policies and understand how AI is performing in your environment. Feedback helps the AI models learn.

By leveraging these AI-powered features and configuring them appropriately, you can significantly improve your organization’s defense against increasingly sophisticated spam and phishing attacks in Exchange Online.

Honouring the ANZAC Legacy: Reflections on ANZAC Day 2025

ANZAC Day, observed on April 25th, stands as one of Australia and New Zealand’s most significant national commemorations. The 2025 observance marks 110 years since the Australian and New Zealand Army Corps (ANZAC) landed on the shores of Gallipoli during World War I, a campaign that has become foundational to both nations’ identities and cultural heritage.

The Historical Significance of ANZAC Day

ANZAC Day commemorates the landing of Australian and New Zealand forces at Gallipoli on April 25, 1915. This military campaign, while ultimately unsuccessful from a strategic standpoint, has come to symbolize the courage, sacrifice, and camaraderie that defines the “ANZAC spirit.”

The Gallipoli campaign was the first major military engagement for Australia as a newly federated nation. Though it resulted in significant casualties—with approximately 8,700 Australian and 2,700 New Zealand soldiers losing their lives—the campaign has been recognized as a pivotal moment in shaping national consciousness. As we mark 110 years since this historic landing, the significance of this sacrifice continues to resonate across generations.

2025 Commemorations Across Australia

This year’s ANZAC Day remembrances continue the tradition of nationwide ceremonies, with particularly notable events marking the 110th anniversary. Dawn services, a tradition dating back to the 1920s, have seen strong attendance nationwide. These solemn ceremonies begin in the early morning darkness, symbolizing the original landing time at Gallipoli, and culminate as the sun rises—representing hope after sacrifice.

Major metropolitan areas including Sydney, Melbourne, Brisbane, Perth, and Adelaide are hosting significant marches featuring veterans from various conflicts, their descendants, and current service members. The Australian War Memorial in Canberra serves as a focal point for national observances, with the customary wreath-laying ceremony and commemorative addresses that acknowledge both historical sacrifices and ongoing service.

Expanding the ANZAC Legacy for Modern Times

While ANZAC Day began as a commemoration specifically for those who served at Gallipoli, it has evolved to honor all Australians and New Zealanders who have served and sacrificed in military operations. The 2025 commemorations particularly highlight:

  • World War II veterans, whose numbers have dwindled significantly as we approach the 80th anniversary of the war’s end

  • Korean War veterans, now mostly in their 90s

  • Vietnam War veterans, many now in their 70s and 80s

  • Veterans of more recent conflicts in Iraq and Afghanistan

  • Personnel involved in humanitarian assistance and disaster relief operations

  • Peacekeepers who have served in various international missions

This year’s commemorations have placed special emphasis on the psychological impact of military service, with increased recognition of the mental health challenges many veterans face and the importance of community support systems.

The Evolving Tradition of ANZAC Day

The 2025 observances maintain the traditional elements integral to ANZAC Day while incorporating contemporary approaches to remembrance:

  • The Last Post and One Minute’s Silence: These solemn traditions continue to form the emotional core of ceremonies

  • The Ode and Poppy Tributes: The recitation of “They shall grow not old…” and the laying of poppies remain powerful symbols of remembrance

  • Digital Commemorations: Virtual reality experiences of historical battlefields are now available at major museums, allowing visitors to better understand the conditions faced by the original ANZACs

  • Intergenerational Programs: Structured opportunities for veterans to share experiences with school children have expanded, ensuring the living transmission of memory

  • Indigenous Recognition: Increased acknowledgment of Aboriginal and Torres Strait Islander service members, who served despite facing discrimination at home

Community and Technological Engagement

The 2025 ANZAC Day demonstrates how technology continues to transform commemoration while maintaining essential traditions. Digital archives accessible via smartphones now allow attendees at ceremonies to look up individual service records and learn specific stories about those being honoured. Social media campaigns encouraging Australians to share family military histories have created a vast, collective digital memorial.

Communities across Australia and New Zealand are also focusing on practical support for veterans, with numerous fundraising initiatives for organizations that provide mental health services, housing assistance, and employment transition programs for returned service members.

International Dimensions

ANZAC Day 2025 is being commemorated at significant international sites including:

  • The Gallipoli Peninsula in Turkey, where a special 110th anniversary service has drawn thousands of Australians and New Zealanders

  • The Sir John Monash Centre at Villers-Bretonneux in France, which continues to educate visitors about Australia’s contribution to the Western Front

  • Various Commonwealth war cemeteries worldwide

The ongoing positive relationship between Australia, New Zealand, and Turkey continues to demonstrate how former adversaries can forge respectful bonds through shared remembrance.

Looking Forward: The Next Century of Remembrance

As we move further into the second century since the Gallipoli landings, ANZAC Day 2025 reflects ongoing efforts to keep the observance meaningful for new generations. Educational initiatives now incorporate augmented reality elements that allow young people to “experience” historical events in immersive ways, while maintaining respect for their gravity.

The Australian government has recently expanded funding for the preservation of war memorials and historical sites, recognizing that physical places of remembrance remain powerful even in our digital age. Additionally, research programs studying the long-term impacts of military service continue to inform better support systems for veterans.

A Day of Unity

In an era of increasing global tensions, ANZAC Day 2025 serves as a reminder of the costs of conflict and the value of peace. Political leaders have emphasized in their addresses that remembering sacrifice should inspire commitment to diplomatic solutions and international cooperation.

As dawn broke across Australia and New Zealand this ANZAC Day, the words “Lest We Forget” echoed once again at ceremonies large and small. In commemorating those who served 110 years ago at Gallipoli, as well as all who have served since, Australians and New Zealanders continue to affirm their commitment to the values of courage, resilience, mateship, and sacrifice that have become central to the national character.

The ANZAC legacy lives on not just in ceremonies, but in how these values continue to inspire service and sacrifice for the greater good in everyday life, reminding us that the best way to honor those who served is to build the peaceful, just society they fought to defend.