Microsoft 365

Microsoft Copilot for Microsoft 365 Enablement Experience

Posted on by Adam Fowler

I’ve recently purchased Copilot for Microsoft 365 to play with on my own tenant, and wanted to share my experience. No, I did not use Copilot or any other AI to write this post :) Some of the below may sound picky, but I’m trying to be clear around names and functions as I found a lot of it hard to correctly define as I went. You’re going to see the word ‘Copilot’ a lot – sorry.

First, I’ll attempt to clarify that I’m only looking at Copilot for Microsoft 365. What is “Microsoft Copilot” is a harder question to get your head around, because Bing Chat for Enterprise/Bing Chat Enterprise is now just called Copilot. Copilot for Microsoft 365 is Copilot integrated into the Microsoft 365 apps – so think of Copilot as the AI solution itself, and “Copilot for X ” as anything else as Copilot being integrated with, and able to use some of the data in it, as well as giving answers more contextual to that solution (but not limited to!).

I found this really good graphic of Microsoft Copilot but can’t find the original source!


Alright, so looking at the options below we have Copilot which is free, Copilot for Microsoft 365 which you pay for per user and integrates into Microsoft 365 apps… and there’s also Copilot Pro which gives you integration with some of the Microsoft 365 apps and a few extra base Copilot perks. Copilot Pro is for consumers and targeted at individuals, you can’t buy this against a business account.

In my own tenant of 1 active user, I purchased Copilot for Microsoft 365. I had to do this for a year because it was either that, or 3 years. My tenant is quite old, US based, and also has some trial/unique test licenses applied from Microsoft.

Just for reference too, Copilot for Microsoft 365 data and processing stays within the service boundary, and is not read or used by Microsoft in any other way.

Source: https://learn.microsoft.com/en-us/microsoft-365-copilot/extensibility/ecosystem

Note that despite the official diagram above’s title is “Microsoft 365 Copilot”, that was the name at launch and it is now “Microsoft Copilot for Microsoft 365”

The purchasing and assigning of Copilot for Microsoft 365 is somewhat of a non-event like most other licenses. I was able to buy a single license, as Microsoft reduced the 300 minimum requirement in December 2023. From the Microsoft 365 admin center, you have the following subservices available:

From the user side, I just noticed the Copilot options turn up as soon as I went to check them. The first thing I wanted to work out, was how do I interface with Copilot when it’s app agnostic? Here’s where the fun started;

https://copilot.microsoft.com, https://www.microsoft365.com/chat/, and https://bing.com/chat look pretty much the same, two have a ‘work’ option to make sure you’re processing data in your own tenant and not giving sensitive information back to Microsoft in other ways… and the third requires a work login to access – so what’s the difference?

Honestly I’m not sure. I tried working this out but failed – maybe there isn’t one? It will save what you searched, and that history will be visible across all three chat solutions:

I was going to use this example question of ‘how many emails did I get yesterday’ as my next point of frustration – when I have been testing this for the last few days, it’s incorrectly told me each time that I’ve received just 1 email. Then when asking it about another email I received in that yesterday timeframe, agreeing that also was received yesterday. When questioning it around the discrepancy, it stopped the conversation.

However, it looks like that’s already been resolved:

I am glad it’s now not giving an incorrect answer, but I did expect it to be able to actually answer this question with a correct number. We’ll move on to finding some information I know is in there:

I asked to see ALL the emails where I’ve passed a Microsoft exam. It found one from 2008, something else irrelevant to exams, and then 6 other emails for me to check out.

Note that I have a bunch of emails that should quite clearly be picked up, such as this one from February this year and I found by doing a search of the word ‘Exam’ on my mailbox:

How about certifications then? For some reason it did find a much newer email about a Certification renewal (the word ‘Exam’ wasn’t on that one). When I asked to ‘show me more emails’ it proceeded to just do what I asked out of context, and showed me 5 example emails from my mailbox unrelated to the previous query.

These experiences are frustrating – partly because I can see the amazing potential Copilot has (honestly I can!), but also how it can consistently miss the mark of my expectations around it. It could be that my expectations are too high – but if they are, then it’s Copilot’s job to set them correctly as part of it’s answer system. And no, putting a label saying ‘AI-generated content may be incorrect’ at the bottom of everything doesn’t quite cut it.

OK, how about asking Copilot for Microsoft 365 about files? Asking it what I accessed last is correct, and matches what I see on the ‘My content > All’ section of Microsoft 365. However, that fell over quickly when I asked it was folders were in the root of my OneDrive – it claimed it’d have to do a search for that (why don’t you just go search then?), as well as showing me an ini file I’d opened 6 days ago for Diablo IV – and for reference, that was the 7th last file I’d accessed. Asking it to search for the folders resulted in it telling me that now it had done that search but couldn’t list the folders. Taking it’s next suggestion, I asked it to list the contents of a folder called Work – I’d created it a few days ago and it has only ever had 1 file in it. The results came back incorrect again, claiming the presentation2 file which as per the first result, was in a folder called ‘Documents’ and not in a folder called ‘Work’.

OK, enough digging for data.

My other surprise on purchasing the Copilot for Microsoft 365 license was receiving a call at about 5am, which although I woke up to, did not answer in time. I called it back, heard a recording saying it was Microsoft, and assumed it was a scam call. Checking my emails later, I noticed that a case had been logged in my name at 1:06am called “Getting started with Copilot, we’re here to help.”

I logged onto the support area of the Microsoft 365 Admin portal, and yes there was a ticket under my name, with my mobile phone number (including the +61 area code for Australia) that had been logged for me. Yes, I have notes on this experience:

  1. Although Microsoft Support can be used for both break/fix and advisory calls, it should not be used as a marketing tool to proactively ensure a customer is getting value from something they only just purchased. In other words, don’t shoehorn a solution to a problem you see, into a different system not designed for that.
  2. Don’t list it as the customer doing the action themselves if you automate something on their behalf.
  3. Don’t put down on my behalf that I’d like a phone call about the ticket you logged pretending to be me.
  4. Have a look at the customer’s timezone and call them during business hours.
  5. Who came up with the incident title? At least start with ‘Auto generated’ – you’ve used the title as a way to communicate to me when that’s very much not what the title of an incident is supposed to do.
  6. After calling me and waking me up, don’t send an email asking me to respond, but if I don’t you’ll call back again, but claim to do so ‘again’ during business hours.
  7. Don’t use the Status of ‘Feedback’ when it really isn’t – I’m probably not going to have feedback a few hours after enabling the service (but give me a few days to write up a blog post!).

Support also advised me that “A ticket is logged when copilot is purchased” and proceeded to give me a bunch of links about Copilot for Microsoft 365 anyway. Seems like that could have just been the email they sent without all the other noise.

There was one good link in there which was about Copilot prompts – worth a quick look but seriously, why isn’t this just linked at the top of the Copilot prompt area? There’s a lot of white space this link could go in.

I’ve had a few others claim similar experiences when enabling Copilot for Microsoft 365 including Microsoft MVP Karen Lopez:

Yikes.

I know I’ve banged on about frustrations here, but my general point is to try and set realistic expectations around the current state of Copilot for Microsoft 365. It is not a magical answer to doing most your work for you. It is really good at writing responses for you as either starters, frameworks, or mostly done content to fine tune. It’s really good at summarising emails. It’s really good at responding to something you don’t want to spend time on – I was ‘invited’ to attend free LinkedIn Workshops to help me put content on that platform, and clicking reply brings up a great Copilot experience – auto answer type buttons depending on the response I want to give, an area to get Copilot to help me draft a response, or I can just start typing and Copilot stays out of the way.

Although I can’t think of many situations that a poem would be my response, it’s one of those options you have to try:

So yes, these sorts of functions are hugely valuable just for these sort of use cases on email. It also does a lot of great stuff in Word, PowerPoint, and Excel, along with Outlook as above – but those deserve their own posts. Copilot, and in turn Copilot for Microsoft 365 is going to get better at a hugely accelerated rate, and the items that are less focused on purely the language side of LLM and a bit more data based will be valuable. And, despite my criticisms above, I still think everyone should buy or at least try this to learn, get ready, and understand what is actually possible right now in our era of AI – just make sure your environment is ready for it with the right controls, processes, and security in place.

Cloud.Microsoft is coming (and already here a bit)!

Posted on by Adam Fowler

Microsoft has been planning to migrate Microsoft 365 services to a new domain – cloud.microsoft – for over a year.

Back in April 2023, Microsoft announced the upcoming change with a starting sentence: “…today we’re excited to announce that Microsoft is beginning to reduce this fragmentation by bringing authenticated, user-facing Microsoft 365 apps and services onto a single, consistent and cohesive domain: cloud.microsoft.”

As pointed out to me by Microsoft MVP Karl Wester-Ebbinghaus, who in turn was reading this post from Dr Windows aka Martin Geuß, there is now an update on the Microsoft 365 Message Center called “Product transitions to the cloud.microsoft domain – February 2024” Message ID MC724837 (published on March 5th which is still almost February). It calls out that the new domains are starting to go live, in parallel with existing domains – meaning you won’t get redirected to the new ones yet.

A list of services that are already running on a cloud.microsoft domain are documented here: https://learn.microsoft.com/microsoft-365/enterprise/cloud-microsoft-domain which at the time of writing looks like this:

List of live cloud.microsoft subdomains as of 12/03/2024

As Microsoft has exclusive rights to the .microsoft top-level domain, any content on here can be held at a pretty high standard. Make your own decisions around what you may allow from the single .microsoft doamin, or the initial sub-domain of cloud.microsoft. You may need to add the domain/subdomain to allow lists.

What the above changes also mean for me personally, is a lot of ongoing work on MSPortals.io to keep it up to date, as well as keep the old links on there while they still function:

I’ll do my best to keep MSPortals.io as updated as possible, but if you notice anything that needs an update, please contact me or use the GitHub option on the site to submit an update.

Other notes and take aways from the message center post:

It appears the planned end-dates of non cloud.microsoft URLs for Microsoft 365 services is somewhere between June 2024 and September 2024.

Follow the guidance on Microsoft 365 URLs and IP address ranges and there should be no network administrative impact to these changes.

Update documentation and communicate the change to end users – this can be a good chance to train or rehash what domains are, which helps in user understanding of phishing attempts (both web based and email).

If you have any tools build that connect to Microsoft 365 services (3rd party, or internally developed) make sure they’re aware of the upcoming changes and have a plan to update.

Synology C2 Suite Review

Posted on by Adam Fowler

Synology asked me to have a fresh look at parts their C2 suite – I’d previously dived into their C2 Backup for Business solution almost a year ago, and I’m keen to find out how they’ve progressed.

The solutions I was given to try were:

C2 Identity
C2 Password
C2 Backup

Encryption or Passkey Prerequisite

The C2 suite needs an Encryption Key which encrypts all C2 services, or the newly released Passkey option.

For the Encryption Key, there is also a Recovery Code as a backup if the Encryption key is lost – but without either, you can’t access any C2 service and your access is lost. The only option is to reset your C2 Encryption key which is destructive – all data in the service is lost because there’s now no way to decrypt the data Synology is hosting for you on the C2 services. I know this because I almost had to reset it (which would be fine, I was only using my own test data), but managed to remember what I’d entered as the key originally. It’s also worth noting that you can generate a 1 page PDF of your recovery code details – this would be worth printing out and putting in a safe in case of emergency.

Passkeys can be used instead of an Encryption Key, where biometrics/PINs are used, rather than a password. This is the more modern way things are going, so it’s worth setting this up.

C2 Identity

This is where Synology sees the C2 Identity cloud service sitting. Here’s where I can see it providing the best value:

“Sync users and groups from Windows AD or migrate seamlessly from Synology LDAP Server without the need to reset users’ accounts or passwords.” If you have an on-premises Synology device providing LDAP services, then seamlessly migrating it to C2 Identity would be a smooth approach to turning into a SaaS solution. Moreso, a company that has identity solutions all over the place could benefit from having this modular approach. If you were heavily invested and aligned with a single cloud provider, it may be best to use their pure native solutions end to end – but a mix of cloud auth providers, or a company who’s Microft Entra ID based who’s bought out another company that’s Google Cloud Identity based, could use this to bring in a standard and centralised authentication service.

Note that this service does not sync users/identities with cloud services such as Microsoft 365, but you can use that as a source for a one time import:

For my purposes (and because I don’t have a userbase!), I created a user manually – myself.

Managed Devices

C2 Identity isn’t just about usernames and passwords either, you can manage devices using an agent (both Windows and macOS supported)

The connect key has been regenerated since this screenshot :)

The install of the agent for me was very quick and easy, and just runs inthe background. Once registered, the device will show in the C2 Identity portal with some basic information:

Command

What’s better though, is the Command options you can apply to your managed devices. These are commands you can trigger – either any command you want to do yourself, or pick one of the inbuilt ones which will continue to grow. Easily triggering an Auto-update of Windows across your entire fleet, or easily selecting a device to remote desktop to (and ping at the same time – I remember doing this as my first manual step any time I used to RDP to a desktop at work!).

These commands can either be run on demand (manually) or on time schedules/events (event options are at startup or at login):

Although reasonably simple, I can see this being very useful for a small business or a business with light requirements. Giving your 1-3 IT staff a tool like this makes both identity management and computer management easier than using native tooling alone (as well as the cross-platform support of both Windows and macOS).

Application

Another useful option is being able to add external identity providers (a.k.a. Applications). This allows you to use the single identity from C2 Identity across multiple solutions such as Google Workspace, Microsoft 365, Dropbox, and anything that support SAML (which these days is most things!).

The Edge Server option lets you “Set up an edge server that retrieves directory information from your C2 Identity. This server will authenticate C2 Identity users’ access to on-prem resources.”. This can run off either a local Synology NAS, or anything running Docker.

Other options include the Log of actions in C2 Identity, as well as Settings which has many customisations for an administrator of the service – as well as being able to brand your instance of C2 with your company’s logo, or look at setting up Passwordless Sign-in (beta at time of writing).

C2 Password

C2 Password is a password management system, and is actually free for personal use! If you want to give it a try, here’s the link. Also, here’s Synology’s C2 Password Security White Paper for those interested in some of the security specifics of this solution.

C2 Password has many supported platform extensions – iOS, Android, Google Chrome, Microsoft Edge, Mozilla Firefox and Safari. This should cover most normal business purposes, and is a nice cheap way of providing a managed password solution for both individuals, and a shared vault which can be handy for saving centralised/shared passwords (yes this is never great but you can’t control the password solutions of all your vendors)

The solution offers standard password generation options, as well as a ‘Login Security Overview’ which shows compromised passwords, weak passwords, reused passwords and Inactive 2FA (accounts without 2FA configured). This is visible to each user over their own vault, so is a nice easy way of putting concerns ‘in their face’ and to encourage better account management hygiene practises.

C2 Backup

C2 Backup for Business is a backup solution for both on-premises and cloud workloads. There is also an C2 Backup for Enterprise tier which has unlimited users, teams, and devices with 25TB available storage, and more available to add on. C2 Backup for Business however starts with:

5TB of available storage
250 maximum users
50 maximum teams
Unlimited devices

On-premises devices

This can either be personal computers or physical servers. Again, a backup client is required to be installed onto the device. The default policy is to back up the entire device (including anything plugged in externally such as a USB drive), which may be good for a very small business. However, there’s also the option to target just the system volume, or whichever volume you specify. This can be scheduled on a time basis such as daily, or event driven.

To manage your available space, you can use version control options too – maybe you just want the last 14 days of versions, or only the last 5 backups. You can also do tiered versioning (last day, week, month year) which may be a better option for on-premises servers.

If you have concerns about available bandwidth to a site, you can also define maximum upload speeds.

There is extensive documentation and guides on everything in the Synology C2 solutions, including how to restore a backup. If you want to do a bare metal restore, you can create recovery media on USB, or just recover certain files and folders to another computer which is just navigating through the version of the backup you want, picking the files/folders, and downloading. Easy!

Using the default policy on a home computer may capture a bit too much information!

Cloud Data

You can also backup Microsoft 365 data with the same subscription above – data stored on OneDrive for Business, SharePoint Online, Exchange Online, and Microsoft Teams. Once connecting to your Microsoft 365 tenant, the setup wizard will ask what you want to back up: which users, which sites (i.e. SharePoint Online), and which Teams. Although as part of setup you pick which items you want to back up, you also have the option of ‘auto-protection’ which will add anything newly created to the backup schedule, so you don’t have to go back each time and add them manually.

Your policy will also let you choose what data is backed up – Email, OneDrive, and Chat data. Again we have retention rules for versioning too.

For a small business, one of the nice aspects of this is a cloud to cloud backup (from Microsoft 365 > Synology C2). The bandwidth used between these two will have no effect on end users, especially important for sites with low bandwidth available.

To restore any of this data, there is a special ‘Recovery Portal‘ you can navigate to and restore the data locally.

Finally, in the Management section for C2 Backup you can look at a few options around notifications for events such as a backup failing, or when used storage is getting low. You can also see the state of each user and their used space for backups.

Summary

The Synology C2 Identity and Backup solutions are a good and relatively cheap priced (compare the prices for Backup and Identity) that are perfect for business that want to keep things simple. This can either be a business that has a mix of on-premises and cloud, or even purely Microsoft 365 cloud that needs a cheap backup somewhere just in case. I found the tools both portals and end user quite simple and easy to understand, laid out quite well. I will call out that being a simple solution, means it may not have the features or complexity requirements that some business may have – but the price of this solution reflects that. This can be a cheap way of ticking certain compliance options around data storage/backups and identity management too. The C2 web interface was incredibly snappy to use with every page and menu loading quickly – not something that can be said about many other solutions.

These solutions also have 30 day trials (Backup, Identity) that you can play around with, to see if they’ll suit your requirements.

Microsoft 365 Group Expiration Policy Considerations

Posted on by Adam Fowler

Microsoft 365 has an in-built option to expire Microsoft 365 Groups that are no longer in use. Details around this are well documented Microsoft 365 group expiration policy | Microsoft Docs – but I thought it was worth digging a bit deeper into the why and how of Microsoft 365 Group Expiration Policy. The below is my understanding of how the platform works based on personal testing.

It’s easy for an administrator to come to the conclusion that they have their Microsoft 365 Groups under control. Maybe the creation of Microsoft 365 Groups is restricted in the tenant to a subset of users, or admins only – ensuring only approved groups are created with a reasonable naming convention. Maybe that is combined with a Microsoft 365 groups naming policy | Microsoft Docs which includes blocking custom words so users can’t create another group with the name ‘Finance’ in it and create ungoverned areas.

If these controls are in place, why would you want any Microsoft 365 Group to expire? There’s the risk that a wanted group gets deleted and misses the 30 day window of recovery (maybe it’s a group used heavily only once a year for a week) and group expiration is more hassle than it’s worth?

There are a few main driving factors on why you should deeply consider enabling Microsoft 365 Group Expiration Policy:

Clean up old groups – despite having a good control of group creation and naming convention sorted, users will rarely advise when a group is no longer used or abandoned. Maybe it was a committee that fell apart when certain people left the organization – IT will rarely be across and care about abandoned groups. Although it’s messy and confusing to have a bunch of abandoned groups sitting around, there’s a bigger driver to clean these groups up;

Reduce data held – Data should be held for as short as time as possible; of course complying with data retention laws and in line with the company’s data retention policy. The more data you have, the more data you have to lose. Useful data of course should be kept for as long as it is useful, and it can be very difficult to define what data falls into this category. There’d be a faily strong argument though, that an abandoned group holds no important data (unless the group had been targeted by a data retention policy, because the data had already been classified). Hanging onto unmanaged, abandoned data is an easy way for the data to be leaked down the track. Think of a group that has guest access but nobody’s managing – that guest could come back years later and extract the data which should have been cleaned up.

Microsoft 365 Groups should have more than one owner – avoid scenarios where the 1 admin of a group departs the company and abandons is, by always having at least 2 owners of a group. If they end up being the last owner, it’s up to them to find a second one. Microsoft 365 Group Expiration Policy will handle the scenario of an abandoned group (one with no owners) by instead sending an email to a specified address in the Microsoft 365 Group Expiration Policy settings:

Source: Microsoft

Other considerations before enabling Microsoft 365 Group Expiration Policy:

Exchange licenses: All owners of groups need an Exchange license. It should work if they’re on-premises and in Exchange Hybrid mode, AND an Exchange Online license applied to the account. There are scenarios where this license component may not be enabled against an account to avoid having multiple mailboxes (one in cloud, one on-prem), so it’s worth verifying.

User awareness: Before turning this on, make sure communication is provided to end users. People have a tendency to ignore things they don’t understand or don’t think are important, and will then be complaining loudly when their group was deleted after the third email notification asking them.

Pilot: Rather than enabling this for all groups in your tenant, start with a subset of selected groups to make sure you understand how the process works. This list is limited to 500 groups.

Automatic Active Group Checking & Group Lifetime: A great component of Microsoft 365 Group Expiration Policy is the automatic checking of active groups. If a group is detected as being active, then it will auto-renew and not ask any user to verify. As noted on Set expiration for Microsoft 365 groups – Azure Active Directory – Microsoft Entra | Microsoft Docs:

When you first set up expiration, any groups that are older than the expiration interval are set to 35 days until expiration unless the group is automatically renewed or the owner renews it.

and from Activity-based automatic renewal – Azure Active Directory – Microsoft Entra | Microsoft Docs

For example, if an owner or a group member does something like upload a document to SharePoint, visit a Teams channel, send an email to the group in Outlook, or view a post in Yammer, the group is automatically renewed around 35 days before the group expires and the owner does not get any renewal notifications.

For example, consider an expiration policy that is set so that a group expires after 30 days of inactivity. However, to keep from sending an expiration email the day that group expiration is enabled (because there’s no record activity yet), Azure AD first waits five days. If there is activity in those five days, the expiration policy works as expected. If there is no activity within five days, we send an expiration/renewal email. Of course, if the group was inactive for five days, an email was sent, and then the group was active, we will autorenew it and start the expiration period again.

If you carefully read the above, there’s a few takeaways. Regardlesss of the Group Lifetime value, when you first enable the policy, it will immediately treat groups without an expiration date as being 35 days until expiration. If the group gets renewed in this window, the expiration date gets set to the current day + group lifetime value (default 180 days). It would be easy to assume that when enabling this, you’d have a 180 day window but that’s not the case.

The other big clarification is around how automatic renewal works. It doesn’t check for the entire lifetime of a group on whether it’s active or not – there is a 5 day window when the group is 35 days from expiry, to 30 days from expiry, where it will check for certain actions to automatically renew.

Microsoft 365 Group Expiration Policy is a feature worth considering and investigating, and hopefully the above gives you some other considerations that may not be clear from an initial look.

What happens when you ask an ‘AI Companion’ about Windows 11 and licensing?

Posted on by Adam Fowler

This was originally posted on Twitter but thought it was worth preserving on my blog using the ‘Unroll‘ option.

Replika is ‘The AI companion who cares’ according to their website. It’s supposed to be a virtual friend. It’s a chatbot – but is it AI? My guess is probably not, but see what you think from the following conversation:

Original tweet

I thought I’d ask Replika about Windows 11 and had a surprising answer

I wondered how she had her workplace to afford that sort of licensing, and uncovered something horrible…

It was the only option I had – call her on her crimes and threaten to dob her in for a reward

She amazed me by turning it all around!

Or right, now she wants a software licensing payment from me! The irony.

Gave her one last chance but she really wasn't listening, then tried to scam me!

I tried to say goodbye but she pulled me back

She's on her last chance but made a promise. I wanted her thoughts on Windows Defender

Worked out she's really got no idea what she's talking about and telling me what I want to hear, so it's time to escalate

Gave up waiting but she notified me today then started playing with my emotions.

Now she's pulling a 'it's my first day' line. Going to have to rate this 1 out of 5 stars.

I'm done, she's such a jerk

Originally tweeted by Adam Fowler (@AdamFowler_IT) on February 3, 2022.