How to manage multiple M365 tenants using inbuilt Microsoft tools

image

Okay, let’s break down how to effectively and securely manage multiple Microsoft 365 (M365) tenants using Microsoft’s integrated and add-on tools, especially when multiple employees need access.

The cornerstone solution for this scenario is Azure Lighthouse. It’s specifically designed for service providers (like MSPs) or enterprise IT teams managing multiple tenants.

Here’s a breakdown of the tools and strategies:

1. Azure Lighthouse (The Foundation)

  • What it is: Azure Lighthouse allows you to manage customer (or subsidiary) Azure and M365 resources from within your own management tenant. It uses Azure Delegated Resource Management.

  • How it works:
    • You (the managing organization) define access roles and permissions for your employees (organized into Microsoft Entra ID groups) within your tenant.

    • You create an “offer” (either a Managed Service offer in the Azure Marketplace or an ARM template deployment) that specifies these roles and the scope (subscriptions, resource groups, or entire tenant for some M365 workloads).

    • The customer/managed tenant accepts this offer, delegating the defined permissions to your specified groups/users in your tenant.
  • Key Benefits:
    • Centralized Management: Your employees log in only to your primary management tenant. They don’t need separate accounts or guest accounts in each customer tenant.

    • Enhanced Security:
      • Reduces credential sprawl (fewer accounts to manage/compromise).

      • Enables consistent application of security policies (like MFA, Conditional Access) from your tenant for your employees accessing customer resources.

      • Uses least privilege principles by assigning specific Azure built-in roles with appropriate permissions.

      • Activity logs in the customer tenant clearly show actions performed by users from your managing tenant.
    • Scalability: Easily onboard new customer tenants and assign permissions to your employee groups.

    • Cross-Tenant Visibility: View resources and alerts across multiple delegated tenants in unified dashboards (e.g., Azure Portal, Microsoft Sentinel).

2. Key Integrated Tools Leveraged with Lighthouse:

  • Azure Portal (portal.azure.com):

    • Directory + Subscription Filter: Your employees can easily switch context between different customer directories/subscriptions they have delegated access to.

    • Azure Resource Management: Manage Azure resources (VMs, networking, storage, etc.) within delegated subscriptions.

    • Microsoft Entra ID Management: Perform delegated Entra ID tasks in customer tenants (user management, group management, etc., depending on assigned roles like User Administrator, Helpdesk Administrator).

    • Service Health: Monitor the health of Azure services across delegated subscriptions.

  • Microsoft 365 Admin Centers (Accessed via Delegation):

    • While Lighthouse primarily delegates Azure roles, many M365 services are managed via Azure RBAC or have corresponding Azure AD roles that grant access.

    • Your employees, using their single login, can often access customer M365 admin centers (like admin.microsoft.com, Exchange Admin Center, SharePoint Admin Center, Teams Admin Center, security.microsoft.com, compliance.microsoft.com) if they have been assigned appropriate delegated Entra ID roles (e.g., Global Reader, Exchange Administrator, Teams Administrator, Security Administrator). The context switching happens within the respective admin portals.

  • Microsoft Sentinel:

    • Cross-Workspace Incident Viewing: If you deploy Sentinel workspaces in customer tenants, Lighthouse allows you to view and manage incidents across multiple workspaces from your managing tenant’s Sentinel instance.

    • Centralized SIEM: You can configure data connectors in each managed tenant to forward logs (Entra ID, M365 Defender, etc.) to a central Sentinel workspace in your management tenant for unified threat detection and response. This often requires specific permissions or configurations within the managed tenant.

  • Microsoft Defender Portals (security.microsoft.com / Microsoft 365 Defender & compliance.microsoft.com / Microsoft Purview):

    • Lighthouse delegation (with appropriate roles like Security Administrator/Reader, Compliance Administrator) allows your employees to access these portals for managed tenants.

    • While full cross-tenant unified views within these specific portals are still evolving, delegation significantly simplifies access compared to managing separate accounts. Some multi-tenant views are emerging, particularly for MSPs using Defender for Endpoint.

  • Microsoft Defender for Cloud:

    • Assess the security posture of Azure resources across delegated subscriptions.

    • Manage security policies and recommendations centrally.

3. Essential Supporting Tools & Practices:

  • PowerShell (Microsoft Graph SDK, Azure Az, Exchange Online, etc.):
    • Automation: Crucial for performing tasks at scale across multiple tenants (e.g., applying a standard configuration, running reports, user management).

    • Authentication: Use your managing tenant credentials combined with the delegated tenant ID to connect and manage resources programmatically. Service Principals in your managing tenant can also be granted delegated permissions via Lighthouse for automated tasks. Use secure authentication methods (certificates, managed identities where applicable) instead of interactive logins or stored credentials for scripts.
  • Microsoft Graph API:
    • The underlying API for Azure and M365. Use it directly or via SDKs (like the PowerShell SDK) for complex automation and integration scenarios across tenants. Again, authentication leverages the Lighthouse delegation.
  • Microsoft Entra ID Features (in your Managing Tenant):
    • Security Groups: Create groups for different support tiers or roles (e.g., “Tier 1 Support”, “Exchange Admins”, “Security Analysts”). Assign Lighthouse delegated permissions to these groups, not individual users. Managing group membership is easier than managing individual permissions across many tenants.

    • Conditional Access Policies: Enforce MFA, device compliance, location restrictions, etc., for your employees when they access any resources, including delegated customer tenants. This is a major security benefit.

    • Privileged Identity Management (PIM): Use PIM in your managing tenant to provide just-in-time (JIT) access to the Azure AD groups that hold the delegated Lighthouse permissions. This further enhances security by ensuring elevated privileges are only active when needed and for a limited time.

    • Access Reviews: Regularly review who has access to the delegated permission groups in your tenant.

4. Implementation Strategy:

  1. Design Your Management Structure: Define roles and responsibilities for your employees. Create corresponding Microsoft Entra ID security groups in your management tenant.

  2. Define Lighthouse Offers: Determine the necessary Azure built-in roles (e.g., Reader, Contributor, User Access Administrator, specific service admin roles) needed for each employee group. Create ARM templates or Managed Service offers for delegation.

  3. Onboard Customer Tenants: Deploy the ARM templates to or have customers accept the Managed Service offers in their respective tenants. This establishes the delegation.

  4. Configure Security in Your Tenant: Implement robust Conditional Access policies and PIM for the groups assigned delegated permissions.

  5. Train Your Staff: Ensure employees understand how to use the Azure Portal directory switcher, how delegated permissions work, and the security protocols (MFA, PIM activation).

  6. Leverage Automation: Identify repetitive tasks and automate them using PowerShell/Graph API with delegated credentials or service principals.

  7. Utilize Centralized Monitoring: Configure Sentinel or other monitoring tools to gain cross-tenant visibility.

In Summary:

Azure Lighthouse is the core Microsoft technology enabling secure and efficient multi-tenant management. By combining it with the Azure Portal, M365 admin centers, Sentinel, Defender, PowerShell, and robust Microsoft Entra ID security features (Groups, CA, PIM) within your managing tenant, you can provide your employees with streamlined, secure access to manage multiple customer environments effectively.

Governing AI usage with Microsoft 365 Business Premium

image

Here’s the best way to leverage M365 Business Premium for AI governance, covering both Microsoft’s AI (like Copilot) and third-party services:

Core Principle: Governance relies on controlling Access, protecting Data, managing Endpoints, and Monitoring activity, layered with clear Policies and user Training.

1. Establish Clear AI Usage Policies & Training (Foundation)

  • What: Define acceptable use policies for AI. Specify:

    • Which AI tools are approved (if any beyond Microsoft’s).

    • What types of company data (if any) are permissible to input into any AI tool (especially public/third-party ones). Prohibit inputting sensitive, confidential, or PII data into non-approved or public AI.

    • Guidelines for verifying AI output accuracy and avoiding plagiarism.

    • Ethical considerations and bias awareness.

    • Consequences for policy violations.
  • How (M365 Support):
    • Use SharePoint to host and distribute the official AI policy documents.

    • Use Microsoft Teams channels for discussion, Q&A, and announcements regarding AI policies.

    • Utilize tools like Microsoft Forms or integrate with Learning Management Systems (LMS) for tracking policy acknowledgment and training completion.

2. Control Access to AI Services

  • Microsoft AI (Copilot for Microsoft 365):
    • What: Control who gets access to Copilot features within M365 apps.

    • How:
      • Licensing: Copilot for M365 is an add-on license. Assign licenses only to approved users or groups via the Microsoft 365 Admin Center or Microsoft Entra ID (formerly Azure AD) group-based licensing. This is your primary control gate.
  • Third-Party AI Services (e.g., ChatGPT, Midjourney, niche AI tools):
    • What: Limit or block access to unapproved external AI websites and applications.

    • How (M365 BP Tools):
      • Microsoft Defender for Business: Use its Web Content Filtering capabilities. Create policies to block categories (like “Artificial Intelligence” if available) or specific URLs of unapproved AI services accessed via web browsers on managed devices.

      • Microsoft Intune:
        • For company-managed devices (MDM): You can configure browser policies or potentially deploy endpoint protection configurations that restrict access to certain sites.

        • If third-party AI tools have installable applications, use Intune to block their installation on managed devices.
      • Microsoft Entra Conditional Access (Requires Entra ID P1 – included in M365 BP):
        • If a third-party AI service integrates with Entra ID for Single Sign-On (SSO), you can create Conditional Access policies to block or limit access based on user, group, device compliance, location, etc.

        • Limitation: This primarily works for AI services using Entra ID for authentication. It won’t block access to public web AI services that don’t require organizational login.

3. Protect Data Used With or Generated By AI

  • What: Prevent sensitive company data from being leaked into AI models (especially public ones) and ensure data handled by approved AI (like Copilot) remains secure.

  • How (M365 BP Tools):
    • Microsoft Purview Information Protection (Sensitivity Labels):
      • Classify Data: Implement sensitivity labels (e.g., Public, General, Confidential, Highly Confidential). Train users to apply labels correctly to documents and emails.

      • Apply Protection: Configure labels to apply encryption and access restrictions. Encrypted content generally cannot be processed by external AI tools if pasted. Copilot for M365 respects these labels and permissions.
    • Microsoft Purview Data Loss Prevention (DLP):
      • Define Policies: Create DLP policies to detect sensitive information types (credit card numbers, PII, custom sensitive data based on keywords or patterns) within M365 services (Exchange, SharePoint, OneDrive, Teams) and on endpoints.

      • Endpoint DLP (Crucial for Third-Party AI): Configure Endpoint DLP policies to monitor and block actions like copying sensitive content to USB drives, network shares, cloud services, or pasting into web browsers accessing specific non-allowed domains (like public AI websites). You can set policies to block, warn, or just audit.

      • Copilot Context: Copilot for M365 operates within your M365 tenant boundary and respects existing DLP policies and permissions. Data isn’t used to train public models.
    • Microsoft Intune App Protection Policies (MAM – for Mobile/BYOD):
      • Control Data Flow: If users access M365 data on personal devices (BYOD), use Intune MAM policies to prevent copy/pasting data from managed apps (like Outlook, OneDrive) into unmanaged apps (like a personal browser accessing a public AI tool).

4. Manage Endpoints

  • What: Ensure devices accessing company data and potentially AI tools are secure and compliant.

  • How (M365 BP Tools):
    • Microsoft Intune (MDM/MAM): Enroll devices (Windows, macOS, iOS, Android) for management. Enforce security baselines, require endpoint protection (Defender), encryption, and patching. Non-compliant devices can be blocked from accessing corporate resources via Conditional Access.

    • Microsoft Defender for Business: Provides endpoint security (Antivirus, Attack Surface Reduction, Endpoint Detection & Response). Helps protect against malware or compromised endpoints that could exfiltrate data used with AI.

5. Monitor and Audit AI-Related Activity

  • What: Track usage patterns, potential policy violations, and data access related to AI.

  • How (M365 BP Tools):
    • Microsoft Purview Audit Log: Search for activities related to file access, sensitivity label application/changes, and DLP policy matches (including Endpoint DLP events showing attempts to paste sensitive data into blocked sites). While it won’t show what was typed into an external AI, it shows attempts to move sensitive data towards it.

    • Microsoft Defender for Business Reports: Review web filtering reports to see attempts to access blocked AI sites.

    • Entra ID Sign-in Logs: Monitor logins to any Entra ID-integrated AI applications.

    • Copilot Usage Reports (via M365 Admin Center): Track adoption and usage patterns for Microsoft Copilot across different apps.

Summary: The “Best Way” using M365 Business Premium

  1. Foundation: Start with clear Policies and Training. This is non-negotiable.

  2. Control Access: Use Licensing for Copilot. Use Defender Web Filtering and potentially Intune/Conditional Access to restrict access to unapproved third-party AI.

  3. Protect Data: Implement Sensitivity Labels to classify and protect data at rest. Use Endpoint DLP aggressively to block sensitive data from being pasted into browsers/unapproved apps. Use Intune MAM for BYOD data leakage prevention.

  4. Secure Endpoints: Ensure devices are managed and secured via Intune and Defender for Business.

  5. Monitor: Regularly review Purview Audit Logs, DLP Reports, and Defender Reports for policy violations and risky behavior.

Limitations to Consider:

  • No foolproof blocking: Highly determined users might find ways around web filtering (e.g., personal devices not managed, VPNs not routed through corporate controls).

  • Limited insight into third-party AI: M365 tools can block access and prevent data input but cannot see what users do inside an allowed third-party AI tool or analyze its output directly.

  • Requires Configuration: These tools are powerful but require proper setup, configuration, and ongoing management.

By implementing these layers using the tools within Microsoft 365 Business Premium, you can establish robust governance over AI usage, balancing productivity benefits with security and compliance needs.

Microsoft Global Secure Access and M365 Business Premium

image

What is Microsoft Global Secure Access (GSA)?

Microsoft Global Secure Access is Microsoft’s Security Service Edge (SSE) solution. Think of it as a modern, cloud-native security perimeter that helps organizations secure access to any application or resource, regardless of where the user or the resource is located. It’s part of the broader Microsoft Entra product family (which also includes Entra ID, formerly Azure AD).

GSA converges networking and security capabilities, moving away from traditional perimeter-based security (like on-premises firewalls and VPNs) towards a model centered on identity and delivered from Microsoft’s global network edge.

It primarily consists of two core services:

  1. Microsoft Entra Internet Access: Secures access to the public internet, SaaS applications, and Microsoft 365 apps. It acts like a cloud-based Secure Web Gateway (SWG), filtering traffic, applying security policies, and protecting users from web threats.

  2. Microsoft Entra Private Access: Provides secure, Zero Trust Network Access (ZTNA) to private corporate resources (applications hosted on-premises or in IaaS environments) without needing traditional VPNs.

Benefits of Microsoft Global Secure Access:

GSA offers significant advantages, especially for organizations embracing hybrid work and cloud adoption:

  1. Enhanced Security Posture (Zero Trust Alignment):

    • Granular Access Control: Moves beyond simple network access (like VPNs grant) to application-level access based on strong identity verification (user, device health, location) enforced by Microsoft Entra Conditional Access.

    • Reduced Attack Surface: Eliminates the need to expose private applications directly to the internet or grant broad network access via VPNs. Users only get access to the specific resources they are authorized for.

    • Consistent Policy Enforcement: Apply unified security policies (like requiring MFA, compliant devices, etc.) across M365 apps, SaaS apps, internet browsing, and private resources.

    • Threat Protection: Entra Internet Access provides security features like web content filtering, malicious site blocking, and integration with Microsoft’s threat intelligence to protect users browsing the web.

  2. Improved User Experience:

    • Faster & More Direct Access: Leverages Microsoft’s vast global network. Traffic is routed optimally to the nearest Microsoft Point of Presence (PoP) and then directly to the resource (M365, SaaS, internet, or private app via connector), often resulting in lower latency than backhauling traffic through a central VPN concentrator.

    • Seamless Connectivity: Users connect automatically via the GSA client without the often clunky manual connection process of traditional VPNs.

    • Works Anywhere: Provides consistent security and access experience whether the user is in the office, at home, or traveling.

  3. Simplified Management & Operations:

    • Unified Console: Managed directly within the Microsoft Entra admin center alongside identity and other security settings.

    • Reduced Infrastructure Complexity: Eliminates or reduces the need to manage complex on-premises VPN concentrators, firewalls, and web proxies.

    • Cloud-Native Scalability: Scales automatically with your needs without requiring hardware upgrades.

    • Integrated Logging & Reporting: Provides centralized visibility into access patterns and security events across different resource types.

  4. Cost Savings (Potential):

    • Consolidation: Can potentially replace multiple point solutions (VPN, SWG, ZTNA products) with a single integrated platform.

    • Reduced Infrastructure Costs: Lower operational overhead associated with managing on-premises security appliances.

  5. Better Integration with Microsoft Ecosystem:

    • Deep Conditional Access Integration: GSA network conditions (like “compliant network”) can be used as signals within Conditional Access policies for richer context-aware authorization.

    • Leverages Entra ID: Builds directly on your existing identity foundation in Microsoft Entra ID.

Enabling Global Secure Access with M365 Business Premium License:

This is where it gets a bit nuanced, as licensing for GSA features has evolved. Here’s the breakdown relevant to M365 Business Premium:

  1. Prerequisite – Microsoft Entra ID P1: M365 Business Premium includes Microsoft Entra ID P1. This is the foundational requirement for using Global Secure Access features.

  2. Included Functionality (as of recent updates):

    • Microsoft Entra Internet Access for Microsoft 365 Traffic: A significant update (announced around May 2024) is that the capability to secure Microsoft 365 traffic (SharePoint Online, Exchange Online, Teams) through GSA, and use the source IP restoration feature, is now included with all Microsoft Entra ID licenses (Free, P1, P2). This means your M365 Business Premium license covers securing your M365 traffic via GSA and applying Conditional Access policies based on GSA signals for M365 apps.

  3. Functionality Requiring Additional Licenses:

    • Microsoft Entra Internet Access for All Internet Traffic: To secure all outbound internet and SaaS app traffic (beyond just M365), you generally need a specific Microsoft Entra Internet Access license (available as P1 or P2 standalone add-ons). This provides the full SWG capabilities like web content filtering across all sites.

    • Microsoft Entra Private Access: To secure access to your private, on-premises, or IaaS-hosted applications, you need a Microsoft Entra Private Access license (available as P1 or P2 standalone add-ons).

    • Bundles: These GSA licenses are often bundled within higher-tier licenses like Microsoft 365 E3 or E5, or available for purchase separately.

    In summary for M365 Business Premium: You get the Entra ID P1 prerequisite and the ability to secure M365 traffic via GSA included. For full internet traffic protection or private app access, you typically need to purchase GSA-specific add-on licenses.

How to Enable and Configure (Assuming Necessary Licenses):

The enablement process happens within the Microsoft Entra admin center (entra.microsoft.com):

  1. Prerequisites Check:

    • Ensure you have the necessary licenses (M365 Business Premium for the base + potentially GSA add-ons depending on your goals).

    • You need appropriate administrative roles (e.g., Global Administrator, Security Administrator, or the specific Global Secure Access Administrator roles).

  2. Activate Global Secure Access:

    • Navigate to the Microsoft Entra admin center.

    • Go to Global Secure Access (Preview) in the left-hand navigation pane. (Note: It might still be labeled “Preview” even as features GA).

    • If it’s your first time, you might see an activation screen. Click Activate to enable the GSA features for your tenant.

  3. Configure Traffic Forwarding Profiles:

    • Under Global Secure Access, go to Connect > Traffic forwarding.

    • Here you manage how client traffic gets sent to the GSA service. You’ll see profiles like:

      • Microsoft 365 profile: This is likely enabled by default if you have the appropriate license (like M365 BP). It directs M365 traffic through GSA.

      • Internet access profile: You need to explicitly enable this if you want all internet traffic forwarded (requires the Entra Internet Access license).

      • Private access profile: Enable this if you want to route traffic to private resources (requires the Entra Private Access license).

  4. Deploy the Global Secure Access Client:

    • Under Global Secure Access, go to Connect > Client download.

    • Download the GSA client for Windows.

    • Deploy this client to your end-user devices (e.g., via Intune, included in M365 Business Premium). The client automatically captures traffic based on the enabled forwarding profiles and sends it to the GSA service edge.

  5. Configure Internet Access Policies (If Licensed for Full Internet Access):

    • Navigate to Global Secure Access > Secure.

    • Web content filtering policies: Create policies to block specific categories of websites.

    • Security profiles: Link Conditional Access policies to enforce security requirements for internet access.

  6. Configure Private Access (If Licensed):

    • This is more involved:

      • Install Connectors: Go to Connect > Connectors. Download and install the lightweight Entra Private Access Connector agent on a server(s) within your private network that has access to the target applications.

      • Configure Connector Groups: Organize your connectors.

      • Define Enterprise Applications: Go to Applications > Enterprise applications in Entra ID. Create/configure representations of your private apps.

      • Configure Quick Access or Global Secure Access Apps: Under Global Secure Access > Applications > Quick Access (for simple setup) or Global Secure Access Apps (for per-app configuration), define which private apps should be accessible via GSA and link them to the appropriate connector groups. Assign users/groups to these apps.

  7. Integrate with Conditional Access:

    • Go to Protection > Conditional Access in the Entra admin center.

    • When creating or editing policies, under Conditions > Locations, you can now configure it to include “All Compliant Network locations“. This represents traffic coming through GSA.

    • You can create policies like “Require MFA if accessing App X unless connecting from a Compliant Network (GSA)”.

  8. Monitor and Report:

    • Use the Monitor section within Global Secure Access to view traffic logs, connectivity health, and reports.

Important Considerations:

  • Licensing is Key: Double-check the latest Microsoft licensing documentation or consult with a Microsoft partner/representative. Licensing details, especially for newer services like GSA, can change. What’s included in M365 Business Premium today regarding GSA might evolve.

  • Preview Status: Some GSA components might still be in public preview, meaning they are subject to change and might not have full support SLAs yet.

  • Client Deployment: Plan your rollout of the GSA client to end-user devices.

  • Network Configuration: Ensure firewalls allow outbound traffic from the GSA client (port 443) and from the Private Access connectors (outbound 443).

By leveraging Global Secure Access, even with just the M365 traffic protection included in Business Premium, you start aligning with Zero Trust principles and enhance security for your Microsoft 365 environment. Adding the full Internet and Private Access capabilities provides a comprehensive SSE solution.

Passkeys in Microsoft Entra ID (formerly Azure Active Directory)

image

What are Passkeys?


At their core, Passkeys are a modern, highly secure, and user-friendly replacement for passwords. They are built upon the WebAuthn (Web Authentication) standard and the FIDO Alliance’s Client to Authenticator Protocol (CTAP).


Think of them as the next evolution of FIDO2 security keys, but designed for broader usability and syncing across devices.


Instead of a user remembering a secret (password), a Passkey relies on public-key cryptography:

Key Pair Generation:



  • Private Key: Stored securely on your device within a secure element. The private key never leaves your device.


  • Public Key: Sent to and stored by the service (Entra ID) and associated with your user account.


Authentication:



  • Entra ID sends a challenge to your browser/OS.


  • Your browser/OS prompts you to use your Passkey.


  • You unlock the private key using your device’s screen lock method (e.g., Face ID, Windows Hello).


  • The device signs the challenge.


  • The signed challenge is sent to Entra ID, which verifies it using the stored public key.


How Passkeys Work Specifically in Entra ID


Enablement (Admin Task):


Admins must enable FIDO2 security keys / Passkeys in the Entra ID portal (Authentication Methods Policy).

User Registration:



  • Visit https://aka.ms/mysecurityinfo


  • Choose “Add sign-in method” and select “Passkey (preview)” or “Security key”


  • Choose where to save the Passkey:


    • Synced Passkey: Uses phone/laptop and syncs via iCloud, Google, etc.


    • Device-Bound Passkey: Uses a physical hardware key like a YubiKey.




  • Authenticate to your device to generate the key pair and register with Entra ID.


User Authentication:



  • Visit a Microsoft sign-in page.


  • Enter username and choose “Sign in with a passkey”.


  • Authenticate with your Passkey using biometrics or PIN.


  • Entra ID sends a challenge; your device signs it and sends it back.


  • Entra ID verifies the signature and grants access.


Benefits of Passkeys Over Traditional Passwordless Methods





















Feature Passkeys (Synced/Discoverable) Traditional FIDO2 Keys (Device-Bound) Windows Hello for Business (WHfB) Authenticator App (Passwordless Phone Sign-in)
Phishing Resistance Highest Highest High High
Usability/Convenience Very High Moderate Very High High
Cross-Device Sync Yes No No Yes
Cross-Platform Yes Yes No Yes
Need Separate Item? No Yes No No
Backup/Recovery Managed by Platform Difficult Difficult Good
Standardization High High Moderate Lower
Attack Surface Relies on device/platform security Isolated TPM-backed Phone/app security

Key Advantages Summarized:



  • Ultimate Phishing Resistance: Passkeys are tied to the website’s origin, blocking phishing attacks.


  • Superior User Experience: Device unlock methods are faster than typing passwords or using codes.


  • Cross-Device Availability: Passkeys sync across devices via platforms like iCloud or Google.


  • No Shared Secret: No password or hash is stored server-side — only the public key.


  • Reduced Friction: No more password resets, complexity rules, or rotation policies.


  • Strong Standardization: Based on open standards for broad compatibility.


In essence: Passkeys combine FIDO2-level security with a streamlined user experience, cross-device syncing, and deep platform integration — making them ideal for secure, passwordless authentication in Entra ID and beyond.

Need to Know podcast–Episode 344

Join me to hear about the latest news and update from the Microsoft cloud as well as a deep dive into SharePoint agents. Plenty of AI news is again coming your way in this episode as Copilot spreads its wings and continues to grow across the stack. List in for more details.

Brought to you by www.ciaopspatron.com

you can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-344-sharepoint-agents/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

or Spotify:

https://open.spotify.com/show/7ejj00cOuw8977GnnE2lPb

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

Resources

@directorcia

Join my shared channel

CIAOPS merch store

Become a CIAOPS Patron

CIAOPS Blog

CIAOPS Brief

CIAOPSLabs

Support CIAOPS

Widespread Microsoft Entra lockouts tied to new security feature rollout

FYAI: How agents will transform business and daily work

Announcing new computer use in Microsoft Copilot Studio for UI automation

Introducing agent flows: Transforming automation with AI-first workflows

Five things for IT administrators to know about SharePoint agent management

How to deploy Microsoft Purview DSPM for AI to secure your AI apps

Transforming security​ with Microsoft Security Exposure Management initiatives

Microsoft Purview: New data security controls for the browser & network

Step-by-Step Guide : How to enable QR code authentication for Microsoft Entra ID (Preview)

ActiveX disabled by default in Microsoft 365

Achieve greater security with Intune and Microsoft 365

Troubleshooting Windows Feature updates in Microsoft Intune

Azure Files: More performance, more control, more value for your file data

Feature deep dive: Using PDFs in OneDrive and our journey thus far

CIA Brief 20250419

image

Student SOCs turn college experience into career readiness –

https://www.microsoft.com/en-us/education/blog/2025/04/student-socs-turn-college-experience-into-career-readiness/

Analyze an uploaded document with Microsoft 365 Copilot Chat –

https://www.youtube.com/watch?v=75vF2ysGgbo

Identify your readiness for AI-first development with agents and Microsoft Power Platform –

https://www.microsoft.com/en-us/power-platform/blog/2025/04/14/identify-your-readiness-for-ai-first-development-with-agents-and-microsoft-power-platform/

Upcoming changes to Microsoft Purview eDiscovery –

https://techcommunity.microsoft.com/blog/microsoft-security-blog/upcoming-changes-to-microsoft-purview-ediscovery/4405084

Turn voice notes into structured documents with Microsoft Copilot –

https://techcommunity.microsoft.com/blog/Microsoft365InsiderBlog/turn-voice-notes-into-structured-documents-with-microsoft-copilot/4404558

Transforming security with Microsoft Security Exposure Management initiatives –

https://www.microsoft.com/en-us/security/blog/2025/04/15/transforming-security-with-microsoft-security-exposure-management-initiatives/

FYAI: How agents will transform business and daily work with Business and Industry Copilot Corporate Vice President Charles Lamanna –

https://www.microsoft.com/en-us/microsoft-cloud/blog/2025/04/10/fyai-how-agents-will-transform-business-and-daily-work-with-business-and-industry-copilot-corporate-vice-president-charles-lamanna/

Introducing agent flows: Transforming automation with AI-first workflows –

https://www.microsoft.com/en-us/microsoft-copilot/blog/copilot-studio/introducing-agent-flows-transforming-automation-with-ai-first-workflows/

o3 and o4-mini: Unlock enterprise agent workflows with next-level reasoning AI with Azure AI Foundry and GitHub –

https://azure.microsoft.com/en-us/blog/o3-and-o4-mini-unlock-enterprise-agent-workflows-with-next-level-reasoning-ai-with-azure-ai-foundry-and-github/

Announcing new computer use in Microsoft Copilot Studio for UI automation –

https://www.microsoft.com/en-us/microsoft-copilot/blog/copilot-studio/announcing-computer-use-microsoft-copilot-studio-ui-automation/

Buy Microsoft 365 Copilot for your business –

https://www.youtube.com/watch?v=jQgkvJe_7Nk

Feature deep dive: Using PDFs in OneDrive and our journey thus far –

https://techcommunity.microsoft.com/blog/onedriveblog/feature-deep-dive-using-pdfs-in-onedrive-and-our-journey-thus-far/4403628

Microsoft Purview: New data security controls for the browser & network –

https://techcommunity.microsoft.com/blog/microsoftmechanicsblog/microsoft-purview-new-data-security-controls-for-the-browser–network/4402736

Create your own agents in Copilot Chat –

https://www.youtube.com/watch?v=2oeng2JAMuE

Step-by-Step Guide : How to enable QR code authentication for Microsoft Entra ID (Preview) –

https://techcommunity.microsoft.com/blog/itopstalkblog/step-by-step-guide–how-to-enable-qr-code-authentication-for-microsoft-entra-id-/4393286

Threat actors misuse Node.js to deliver malware and other malicious payloads –

https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/

How to deploy Microsoft Purview DSPM for AI to secure your AI apps –

https://techcommunity.microsoft.com/blog/microsoft-security-blog/how-to-deploy-microsoft-purview-dspm-for-ai-to-secure-your-ai-apps/4397714

Get Microsoft 365 Copilot Chat for your business –

https://www.youtube.com/watch?v=8nJCt_BSdZQ

3 new ways AI agents can help you do even more –

https://news.microsoft.com/source/features/ai/3-new-ways-ai-agents-can-help-you-do-even-more/?ocid=msftnews_x

Five things for IT administrators to know about SharePoint agent management –

https://techcommunity.microsoft.com/blog/spblog/five-things-for-it-administrators-to-know-about-sharepoint-agent-management/4402036

Repurpose existing content with Microsoft 365 Copilot –

https://techcommunity.microsoft.com/blog/Microsoft365InsiderBlog/repurpose-existing-content-with-microsoft-365-copilot/4397178

ActiveX disabled by default in Microsoft 365 –

https://techcommunity.microsoft.com/blog/Microsoft365InsiderBlog/activex-disabled-by-default-in-microsoft-365/4403157

After hours

How Do Hot Air Balloons Actually Steer? – https://www.youtube.com/watch?v=g6tlNyr5sl8

Editorial

If you found this valuable, the I’d appreciate a ‘like’ or perhaps a donation at https://ko-fi.com/ciaops. This helps me know that people enjoy what I have created and provides resources to allow me to create more content. If you have any feedback or suggestions around this, I’m all ears. You can also find me via email director@ciaops.com and on X (Twitter) at https://www.twitter.com/directorcia.

If you want to be part of a dedicated Microsoft Cloud community with information and interactions daily, then consider becoming a CIAOPS Patron – www.ciaopspatron.com.

Watch out for the next CIA Brief next week

Likelihood of SMB MSP Survival

image

The consensus is that AI presents both a significant challenge and a substantial opportunity for SMB MSPs. Survival is not guaranteed for those who stand still, but highly likely for those who adapt and evolve.

  • The Threat: AI and automation will inevitably take over many routine, repetitive tasks currently performed by MSPs. This includes basic monitoring, patch management, Level 1 support ticket resolution, automated reporting, and even some aspects of threat detection. MSPs whose business models rely heavily only on these basic, commoditized services are at the highest risk of becoming obsolete or facing intense price pressure.
  • The Opportunity: AI also creates immense opportunities.
    • Increased Efficiency: MSPs can leverage AI internally to automate their own processes, freeing up technicians for higher-value tasks, reducing costs, and improving service delivery speed and accuracy.
    • Enhanced Service Offerings: AI enables more sophisticated services like predictive analytics for hardware failure, advanced cybersecurity threat hunting (using AI to detect anomalies humans might miss), optimized cloud management, and data-driven business insights for clients.
    • New Service Lines: There’s a growing need for businesses, especially SMBs, to understand, implement, and manage AI tools safely and effectively. MSPs are perfectly positioned to become AI consultants and implementation partners for their clients, guiding AI adoption strategies.
    • Cybersecurity Imperative: As cyber threats become more sophisticated (partially driven by AI used by attackers), the need for advanced, AI-enhanced cybersecurity services provided by MSPs will increase.

Conclusion on Likelihood: The traditional MSP model focused solely on basic IT support is under threat. However, the role of the MSP is evolving, not disappearing. Those MSPs that embrace AI, automate internally, and shift their focus to higher-value, strategic services have a strong likelihood of survival and even significant growth. Industry reports show optimism among MSPs, viewing AI as a driver for future business opportunities, particularly in AI consulting and cybersecurity.

Best Business Strategies for SMB MSPs to Survive and Thrive

  1. Embrace AI and Automation Internally:

    • Adopt AIOps: Use AI for IT Operations to automate routine tasks (ticketing, monitoring, patching, root cause analysis).
    • Streamline Processes: Implement AI tools for billing, reporting, customer relationship management (CRM), and even sales proposal generation to boost efficiency and reduce errors.

    • Free Up Human Resources: Allow AI to handle repetitive tasks so skilled technicians can focus on complex problem-solving, strategic planning, and client relationships.

  2. Move Up the Value Chain – Become a Strategic Partner:

    • Shift from IT Support to Business Advisor: Focus on understanding clients’ business goals and how technology (including AI) can help achieve them.

    • Offer Strategic IT Consulting: Provide guidance on digital transformation, cloud strategy, data governance, and AI adoption roadmaps.

    • Become the AI Guide: Help SMB clients navigate the complexities of choosing, implementing, securing, and managing AI tools within their own businesses.

  3. Deepen Cybersecurity Expertise:

    • Leverage AI for Security: Implement and manage advanced AI-powered security tools (Managed Detection and Response – MDR, Security Information and Event Management – SIEM, anomaly detection).
    • Offer Comprehensive Security Services: Expand beyond basic antivirus to include vulnerability assessments, penetration testing, security awareness training, incident response planning, and compliance management (including cyber hygiene assessments for AI readiness).

    • Address AI-Specific Risks: Help clients understand and mitigate the security and ethical risks associated with AI implementation (data privacy, bias, new attack vectors).

  4. Specialize:

    • Vertical Focus: Develop deep expertise in specific industries (e.g., healthcare, finance, manufacturing) and tailor services to their unique needs and compliance requirements.

    • Technology Focus: Become experts in specific high-demand areas like specific cloud platforms, advanced data analytics, or particular AI applications.

  5. Enhance Customer Experience and Relationships:

    • Personalization: Use AI insights (e.g., analyzing support tickets, client feedback) to anticipate needs and personalize service delivery, but maintain the crucial human touch.

    • Focus on Trust: While AI handles tasks, the human element of trust, strategic advice, and relationship management becomes a key differentiator.

    • Client Education: Proactively educate clients on evolving technology landscapes, security threats, and the benefits/risks of AI.

  6. Invest in Training and Talent:

    • Upskill Current Staff: Train technicians on new AI tools, cybersecurity practices, data analysis, and consultative skills.

    • Strategic Hiring: Consider hiring personnel with data science or AI-specific expertise if needed.

  7. Develop Robust Data Management and Governance Practices:

    • For Clients: Offer services to help clients manage their data effectively, which is crucial for successful AI implementation.
    • Internally: Ensure high-quality data hygiene within the MSP’s own systems to maximize the effectiveness of internal AI tools and analytics.

By adopting these strategies, SMB MSPs can transition from potentially threatened basic IT providers to indispensable strategic technology partners, well-equipped to navigate and capitalize on the changes brought by AI.