rss.livelink.threads-in-node

Azure Availability Zone Mapping and VM Resilience Analysis Guidance using SRE.AZURE.COM Agent

munieswar_avulapalli — Mon, 08 Jun 2026 19:50:35 GMT

Overview

This guidance, supported and tested using SRE.Azure.com, helps Azure platform engineers understand how Availability Zones are mapped within their subscription and how virtual machines (VMs) are distributed across those zones.

SRE.Azure.com enables discovery and analysis of zone mappings, VM placement, and infrastructure resilience.

Why This Matters

Azure uses logical zones (1, 2, 3), but these map differently to physical datacenter zones (az1, az2, az3) in each subscription. This means workloads in the same logical zone across subscriptions may not be physically co-located.

Understanding this is critical for high availability, disaster recovery, compliance, and resilience planning.

Example

sub-prod-eastus-01 -> Zone 1 → az3
sub-prod-eastus-01 -> Zone 2 → az1
sub-prod-eastus-01 -> Zone 3 → az2
sub-prod-weu-01 -> Zone 1 → az1
sub-prod-weu-01 -> Zone 2 → az2
sub-prod-weu-01 -> Zone 3 → az3

Key takeaway: Logical zone numbers do not guarantee physical separation across subscriptions.

What SRE.Azure.com agent Enables

- Discover logical-to-physical zone mappings
- Analyze VM distribution across zones
- Identify resilience gaps
- Generate presentation-ready reports

Suggested Prompt

“Act as an Azure platform engineer and generate a clean, presentation-ready analysis for availability zone design.

For Azure subscription <subscription-id>, produce two outputs inline in chat.

Output 1 — Zone Mapping Summary
- Query Azure directly for region availability zone mappings
- Show how logical zones map to physical zones
- Include a takeaway and tables

Output 2 — VM Resilience Distribution
- List VMs with zone, physical mapping, and protection level

Formatting:
- Use markdown tables
- No raw JSON
- Screenshot-friendly layout
- End with 3 observations”

Example output:

And so on ……

Next Steps:

Get Started | Azure SRE Agent

What is SRE Agent? | Azure SRE Agent

Microsoft 365 Copilot on mobile: What staged rollout plans can miss

JulieHersum — Tue, 02 Jun 2026 21:50:56 GMT

IT teams often design rollout plans in careful stages: the right pilot group, the right prerequisites, the right communications, and the right guardrails. Sequencing matters.

But when Microsoft 365 Copilot on mobile shows up in your environment, the shape of adoption can change.

Employee behavior doesn’t always follow the same tidy stages as licensing or deployment plans. Once people can use Copilot in the moments where work actually happens—between meetings, on the go, in a hallway conversation, before a customer call—usage can spread faster, more socially, and less linearly than many rollout models assume.

You can stage the rollout, but you can’t always stage the real-world usage pattern that follows. And mobile is one of the fastest places that gap shows up.

What we’re seeing: mobile changes the moments where Copilot shows up

Mobile shifts adoption because it changes the context in which Copilot appears day to day:

Copilot shows up more during “in-between” work moments

Those moments where people look for quick help: summarizing, drafting, finding, checking, and preparing.

Usage spreads through behavior, not just rollout sequence

A teammate shares a faster way to prep for a meeting. A leader asks for a quick recap while traveling. A project team starts referencing Copilot outputs in a chat thread. That kind of spread can move ahead of your staged plan.

Desktop assumptions don’t always carry over cleanly

Governance, communication, and readiness decisions that feel straightforward in a desktop-first mindset can surface earlier when usage starts in mobile-first ways.

Taken together, mobile introduces a second force into staged rollout planning: behavioral adoption momentum that doesn’t always wait for the next planned phase.

Staged Copilot deployment ≠ staged usage

Mobile frequently compresses the “pilot → expand → scale timeline,” creating earlier-than-expected issues:

IT starts fielding questions about “what’s allowed,” “what’s recommended,” or “what’s safe” before the plan anticipated
Governance and communication become tightly linked. If the org hasn’t expressed expectations and guardrails early and clearly, fast-moving usage can create confusion or conflicting local norms
Rollout plans start competing with reality. Mobile can make Copilot feel “present” in daily work. While IT is still staging rollout, parts of the organization behave like they’re already in broader adoption.

In many environments, this doesn’t stay theoretical for long.

What to do: four areas that tend to matter most

If you’re planning your Copilot rollout, you’ll want to think through these four connected areas:

Rollout sequencing: how you stage availability and expansion
User behavior expectations: how adoption may spread, and how you’ll message it
Governance and readiness considerations: what needs to be clear before usage accelerates
Communication planning: how you set expectations so momentum doesn’t create confusion

If you’re hearing early signals that people are experimenting with Copilot in mobile contexts before the rollout has fully caught up or already seeing pockets of usage spreading faster than expected, use these four as levers for regaining clarity and alignment

Next step

Read the full blog for Microsoft 365 Copilot mobile rollout planning guidance, including how to align sequencing, governance, and communication, whether you’re still designing your rollout approach, or already responding to early signs of faster-than-expected adoption.

Read the full Accelerator blog: Microsoft 365 Copilot on mobile: Planning guidance for IT admins

Windows 365 for Agents: run AI agents in Cloud PCs across real applications

JulieHersum — Thu, 28 May 2026 01:04:03 GMT

Copilot agents have been talking the talk—summarizing information, drafting content, and answering questions. But soon they’ll be walking the walk—executing workflows across systems in policy-controlled Cloud PCs.

With Windows 365 for Agents (now in public preview), you can run AI agents in a secure environment and use natural language to direct them to work across software and complete tasks, such as processing invoices or updating CRM data.

What’s changing?

It may sound like a small shift, but Windows 365 for Agents introduces a fundamentally different runtime model.

For the first time, you’ll be able to automate workflows that live outside APIs across real applications—including legacy and UI-based systems—without giving up enterprise security or control.

Much of today’s work still lives in browsers, desktop apps, and legacy systems—environments that assume intentional, human behavior. But agents behave differently:

Humans operate intermittently and with judgment
Agents can operate continuously and at scale

Agents depend on IT-defined boundaries, such as identity, policy, access, and monitoring, to keep execution aligned with intended workflows.

Without boundaries, agents can:

Access unintended systems
Act beyond their intended scope
Amplify small mistakes across workflows

Agents need a dedicated execution space designed for autonomous activity but governed by humans by default.

Windows 365 for Agents introduces the right execution environment

Windows 365 for Agents provides a dedicated Cloud PC environment that lets you define and control agents in various ways:

Independently and continuously, or on demand
Under your existing identity, policy, and management controls, such as Microsoft Entra ID and Intune
As repeatable, multi-step workflows across real applications, including legacy and UI-based systems, within the boundaries you set

Running agents in this controlled environment helps isolate risk and enforce security boundaries so act autonomously while remaining fully governed by your policies and without negatively impacting production systems.

Get started with Windows 365 for Agents

Interested in how this works and what Windows 365 for Agents unlocks for your environment? Read full blog, Windows 365 for Agents: run AI agents on secure cloud PCs, to learn more.

Deploying DNS Private Resolvers and Private DNS Zones for Azure AI Supported Services

munieswar_avulapalli — Tue, 28 Apr 2026 19:24:54 GMT

Private Networks:

Private DNS Zones: Resolves domain names to private IPs within Azure virtual networks without exposing them to the internet. Private DNS Zones are global, you don’t need to create multiple same private DNS Zones, you can reuse the same zones as it’s global
DNS Private Resolvers: Fully managed service that enables DNS resolution between Azure VNets and on-premises networks without custom DNS servers. DNS Private resolvers are regional, which means if you have Azure EAST US and WEST US 2 regions, you need to create DNS Private resolvers in both regions linked to Private DNS Zones, you can adopt centralized or distributed DNS Private resolvers, I will discuss both options later in this article

Public Networks: <In this part – not focusing on Public Networks>

Public DNS Zones: Resolves internet-facing domain names to publicly accessible IP addresses
Traffic Managers: DNS-based traffic load balancer that routes client requests to the best available global endpoint
DNS Security Policy: Controls and protects DNS resolution behavior (e.g., filtering, forwarding, and access rules) to secure name resolution and prevent misuse

**Note: 1. Follow Prerequisites to deploy resources. 2. A common misconception is that VNet peering enables DNS resolution. In reality, private DNS zones are only accessible to VNets that are explicitly linked to them, peering provides connectivity, but not name resolution.

In the following snapshot à Azure Portal à Network Foundations à DNS, lets explore individual DNS Services offered and later in this document, we will interconnect

**Credits to Microsoft Azure Portal Design team for creating new grouped views – you can check out for more – like compute infrastructure, Hybrid, Backup

Now, let’s delve into scenario 01: I have grabbed the following snapshot from Azure AI Landing Zones and removed non-network Azure resources to focus only on private Network components,

**Credits to AI Landing Zone team for the diagram, Original Version:

Inbound Zoom in view with End-to-End Flow

Hop	Summary
1	Client initiates request
2	DNS query sent to on-prem DNS
3	DNS query forwarded to Azure
4	Azure DNS Resolver processes query
5	Private DNS resolves to Private Endpoint IP
6	Traffic routed via VNet peering
7	Traffic hits Private Endpoint
8	Request served by Azure Files

*Link Private DNS to DNS resolvers in other regions, Private DNS is GLOBAL and DNS Resolvers are regional

Example Snapshot of entire flow:

Nslookup from Client machine,

Domain – DNS Conditional Forwarder configuration

Note 1: Make sure you selected “All DNS Servers in this forest” for replication, otherwise users pointed to some other domain will be unable to resolve

Verifying Connectivity with PsPing <credit to Sysinternals team PsPing >

PsPing, a tool from Sysinternals, is highly effective for verifying network connectivity from on-premises environments to Azure resources on specific ports. This is particularly useful when you need to ensure connectivity to ports such as 445, 443, 1433, 1521, or any other port required by Azure services you intend to access from either on-premises locations or other cloud environments.

By using PsPing, you can test and confirm that the necessary ports are open and accessible, which is crucial for troubleshooting connectivity issues and ensuring smooth communication between your on-premises infrastructure and Azure-hosted resources.

Ensure your firewall is set to allow traffic
DNS private resolvers – inbound configuration

Private DNS Configuration

Virtual Network links enable to your private dns

Make sure you have peer between hub and spoke
Private Endpoint configuration

Storage Account configuration

“Replace the file share with any supported Azure service that uses Private Endpoints, and follow the same guidance.”

2. Outbound <flow and resources colored with blue> part 2 upcoming soon

Copilot agents are scaling faster than most organizations expected

JulieHersum — Fri, 17 Apr 2026 17:53:04 GMT

Copilot agents are easy to pilot.

Across organizations, teams are building agents to automate tasks, surface insights, and streamline everyday work. Early results are positive—and encouraging. One agent leads to another. Interest spreads. Adoption grows.

Then a different question starts to surface:

What happens when Copilot agents move beyond experiments and start to scale across the organization?

That’s where things are getting more complicated.

When success creates a new problem

In early stages, conversations about Copilot agents focus on how to build, with questions centering on tools, prompts, and connectors. As usage expands, the challenge shifts away from delivery and toward coordination.

Organizations see signals like:

Multiple teams building agents independently
Overlapping use cases with different risk profiles
Unclear ownership as agents move into shared workflows
Hesitation around approving the next agent

These aren’t failures. They’re signs that agent usage is becoming meaningful enough to require intent, especially at an enterprise level.

Why scale changes the conversation

As Copilot agents move from isolated experiments to shared enterprise capability, the conversation shifts. The challenge is no longer just how to deliver agents, but how—and which—agents the organization should operate at scale.

That shift introduces tradeoffs that rarely appear during pilot phases:

How much autonomy should teams retain?
Where does consistency start to matter?
How should we support experimentation without creating fragmentation?
How can leadership stay aligned as impact grows?

Without a shared way to reason through these decisions, choices begin to outpace clarity.

This is where many IT and business leaders pause. Not to stop innovation, but to ask a more fundamental question:

What does “scaling well” actually look like for us?

A CIO‑level framework for deliberate scale

Organizations that recognize themselves at this inflection point will want to read Microsoft’s Accelerator article, A CIO framework for scaling Copilot agents—a CIO‑level perspective designed for when agent adoption begins to scale.

The framework explores:

What changes as agents move from pilots to enterprise capability
How leadership decisions evolve with scale
How to balance flexibility with coherence
How to guide growth before friction sets in

It’s framed for CIOs and senior IT leaders who are thinking beyond approving the next agent build, who are focusing now on aligning teams, expectations, and operating models at scale.

👉 Read the full framework on Microsoft 365 Accelerator

Discussion

What signals tell you it’s time to move from experimenting with agents to planning for scale?
Where does agent growth create the most tension in your organization today?
What’s the one decision you wish had been clearer earlier in your agent journey?

Microsoft 365 Accelerator is where planning conversations go deeper.
If your organization is moving from “can we build this?” to “how do we scale this responsibly?”, Accelerator is where you want to go next.

Copilot Chat in financial services: Is productivity moving faster than policy?

JulieHersum — Mon, 13 Apr 2026 16:49:44 GMT

In financial services, it's rarely the value of a new technology that slows down adoption. More often, it's when productivity starts to outpace the policies designed to govern it.

That tension is beginning to surface with Copilot Chat.

Teams are finding real efficiency gains—faster research, clearer summaries, better preparation—while leaders ask a different question:

What does responsible, repeatable adoption look like once usage expands across regulated roles?

Those conversations usually appear when Copilot Chat becomes operational enough that ad hoc decisions feel insufficient.

A new post on Microsoft 365 Accelerator is designed for that exact moment. How financial leaders are scaling Microsoft 365 Copilot Chat without increasing risk introduces a planning kit that shows financial services leaders how to scale Copilot Chat usage while keeping governance, audit readiness, and oversight intact.

Instead of features, the kit is focused on the decisions and guardrails that help organizations move forward and use Copilot Chat with confidence.

If you’re seeing strong demand from business teams and equally strong questions from risk or compliance teams, this kind of guidance brings those conversations together.

👉 Read the full planning guidance and explore the Copilot Chat kit on Microsoft 365 Accelerator.

We'd like to know:

At what point did Copilot Chat usage in your organization start raising governance or policy questions?
Which decisions felt easy during early experimentation but harder once Copilot Chat became more widely used?
How are you thinking about ownership and oversight as Copilot Chat moves beyond individual use cases?

Tell us in the comments below.

If this discussion feels familiar, you’re not alone. Microsoft 365 Accelerator is designed for the next phase—when teams start asking not just can we, but how do we do this well.

Modernizing On‑Prem File Servers: Azure Storage Mover and File Sync

SriniThumala — Sun, 08 Mar 2026 21:46:02 GMT

Azure File Sync is a hybrid cloud storage service that centralizes on-premises file shares into Azure Files while preserving the experience of a local Windows file server. It installs an agent on Windows Server(s) to cache and sync files to an Azure file share (the cloud backend). Key features include cloud tiering (keeping only hot files on-prem and tiering cold data to Azure) and multi-site synchronization, so changes propagate across servers via the cloud. In essence, Azure File Sync transforms your file server into a cache for Azure, providing continuous two-way sync between on-premises and the Azure file share.

Azure Storage Mover is a fully managed migration service used to transfer file data into Azure Storage (Azure Blob containers or Azure file shares) with minimal downtime. It works by deploying a migration agent near the source storage, which then copies data directly to Azure. The cloud-based Storage Mover resource orchestrates migrations (including initial bulk transfer and optional delta syncs for changes) across multiple shares from a central interface. Unlike File Sync, Storage Mover is not a continuous sync service but rather a one-directional data mover for scenarios like one-time migrations or periodic updates.

Side-by-Side Technical Comparison

Aspect	Azure File Sync	Azure Storage Mover
Primary Purpose	*Hybrid file service*: Ongoing two-way sync between on-prem file servers and Azure Files, enabling local caching and multi-site data sharing.	*Migration tool*: One-way transfers of file data from on-prem (or other storage) to Azure Storage, optimized for lift-and-shift migrations with minimal downtime.
Architecture	Agent on Windows Server connects local NTFS volumes to an Azure File Share (cloud endpoint). The Azure Storage Sync Service coordinates sync across servers in a sync group. Supports cloud tiering to offload cold files to cloud. Sync is continuous and multi-directional (all endpoints stay in sync).	Cloud service + on-prem agent: An Azure Storage Mover resource manages migration jobs. Lightweight migration agents (VMs or containers) run near your sources, sending data directly to the Azure target (Blob or File share). The service orchestrates project-based migrations but does not keep sources in sync after completion.
Supported Sources	Windows file servers (NTFS), accessed via SMB/NFS protocols (the agent needs Windows Server OS). Ideal for Windows-based file shares.	SMB shares, NFS exports, and similar file systems on any platform (Windows or Linux NAS). Also supports migrating from other clouds’ storage (e.g., S3 buckets) into Azure. Broad support for heterogeneous sources.
Supported Targets	Azure Files only. (Cloud endpoint is an Azure file share in a Storage Account). Supports SMB (and NFS 4.1 Azure file shares in preview) as target share types.	Azure Storage (Blob containers or Azure file shares). For example, can migrate into an Azure Blob (ADLS Gen2) container or an Azure File share depending on scenario.
Sync vs. Migration	Continuous Sync: Bi-directional; changes on-prem or in Azure propagate to all endpoints. Designed for long-term hybrid operation, not just a one-time move.	Batch Migration: One-time or repeated transfer; not a live sync. Typically used to move data entirely to Azure (cutover once done). Supports incremental (delta) syncs to capture changes between migration runs.
Performance & Scale	Scales to large datasets (tested up to 100 million files per sync group). Throughput can reach hundreds of files/sec for upload/download given sufficient resources. Performance depends on server hardware, network, and Azure Files limits.	Built to handle high-volume migrations (100M+ files). Can scale out by deploying multiple agents or using bigger VMs to increase throughput. Performance mainly limited by network bandwidth and source/target IOPS and can be optimized by parallel jobs and delta sync workflows.
Integration	Deep integration with Azure Files (the back-end store) and Windows Server. Works with Azure Backup for centralized backups or using file share snapshots. Leverages Azure’s redundancy (LRS/ZRS/GRS) for durability; supports Azure AD DS for identity integration to maintain ACLs in cloud.	Integrated with Azure Arc (for agent management) and can combine with Azure Data Box for hybrid migrations (offline + online phases). Managed using Azure Portal and CLI, provides logging/monitoring through Azure Monitor for migration jobs. No ongoing infrastructure after migration completes.

Advantages of Azure File Sync:

Hybrid Cloud Caching: Retains on-premises low-latency file access (via local Windows servers) while using Azure as central storage. End users and apps continue using a local file server interface.
Cloud Tiering & Storage Efficiency: Frees up local storage by tiering infrequently used files to Azure. This reduces on-prem disk usage without sacrificing access to full dataset (files are pulled from cloud on demand).
Multi-site Sync & Collaboration: Enables near-real-time sync across multiple servers/sites via Azure hub. Great for distributed teams sharing a common file set, replacing need for complex DFS-R setups or manual transfers.
Minimal Disruption Migration: Can be used as a no-downtime migration path to Azure Files – sync in background, then cut over clients to the Azure share with identical structure and ACLs.

Advantages of Azure Storage Mover:

Purpose-Built for Migration: Optimized for transferring data at scale into Azure. Can handle large one-time migrations or scheduled recurrent syncs without continuous agent overhead post-migration. Simplifies multi-terabyte or multi-site migration projects.
Heterogeneous Source Support: Works with a variety of source types (SMB, NFS shares on any OS) and can migrate into both Azure Files and Azure Blob, providing flexibility that Azure File Sync can’t (e.g., migrating Linux NFS servers or third-party storage to Azure).
Centralized Orchestration: Cloud architects can manage all migrations via a single Azure Storage Mover resource – with projects & jobs tracking progress per share. Logging, error handling, and coordination are unified, unlike scripting copy operations per server.
Incremental & Low Downtime: Supports delta synchronization to bring the target up-to-date after an initial bulk copy. This reduces cutover downtime since only last-minute changes need transferring. Also integrates with offline seeding (Data Box) plus online catch-up to minimize network strain and downtime.

Common Use Cases and When to Choose Each

Azure File Sync – Use Cases: Ideal when you need to maintain on-premises file server access while leveraging cloud storage. Some common scenarios:

Branch Office File Sharing: Multiple offices each have a local file server, all synced to a central Azure Files share. Users get fast local access, and the cloud ensures each site’s data stays consistent.
File Server Augmentation: You want to extend an existing Windows file server with virtually unlimited cloud capacity (via tiering) rather than fully moving to cloud. Azure File Sync offloads old data and provides cloud backup, but users and apps continue as normal with the local server.
Gradual Migration / Testing: You plan to eventually migrate to Azure Files but want a seamless, no-downtime transition. Deploy AFS on the server, let it sync all data to cloud, then optionally eliminate the on-prem server later. This way, users never stop accessing their files during the migration process.

Azure Storage Mover – Use Cases: Best when you have a defined migration project to move file shares to Azure, especially for heterogeneous environments or large volumes:

Data Center Exit / Large File Share Migration: Moving tens or hundreds of TBs of data from on-prem NAS or file servers to Azure Storage as a one-time project. The Storage Mover’s robust scalability and delta-sync capabilities help ensure a smooth transfer with minimal final cutover downtime.
Consolidating Cross-Platform Data to Azure: If you need to migrate non-Windows file systems (Linux NFS, etc.) or even data from other clouds into Azure, Storage Mover supports those sources out-of-the-box. For example, migrating a Linux file repository into Azure Blob for big data analytics.
Recurring Scheduled Migrations: In cases where you periodically copy data from on-prem to Azure (e.g., monthly exports from a local system to cloud for archiving), Storage Mover can be run as needed and centrally monitored, without maintaining a constant sync infrastructure in between.

Conclusion

When to choose which: Use Azure File Sync if your goal is to keep using on-prem servers and need a hybrid solution for the foreseeable future, or if you require distributed caching and continuous sync for collaboration. It’s essentially part of your production architecture for hybrid cloud file storage. Conversely, choose Azure Storage Mover when you want to permanently migrate data into Azure (and possibly decommission on-prem storage), or when dealing with a one-off bulk transfer task. In summary, Azure File Sync is an ongoing hybrid file service, and Azure Storage Mover is a one-time (or scheduled) migration service. Both can complement your cloud strategy, but they address distinct scenarios in a cloud architect’s toolkit.

Copilot adoption: Move your org from pilot to production with this guide

JulieHersum — Thu, 19 Feb 2026 20:32:15 GMT

Are you an IT admin or Copilot adoption lead ready to safely start or scale your rollout of Microsoft 365 Copilot?

Piecing together the right guidance can be something of a treasure hunt so we created a trusted, single starting point for you: 8 Copilot & agent hubs every adoption leader should bookmark.

This guide is organized around the typical adoption lifecycle (plan → build → operate) to help you accelerate your Copilot adoption without skipping governance.

Inside the guide, you’ll learn:

What each resource hub includes—and how each maps to plan → build → operate for Copilot.
How to turn guidance into motion: Practical steps you can reuse for rollout and change management (not just reference links).
Which resources to share with each audience—admins, champions, and business sponsors—so everyone stays aligned.
How to scale with confidence: Starting points. that support a governed, production-ready Copilot program

To get started, check out the full post and bookmark each resource hub today.

Did you know?

FastTrack helps eligible customers with Microsoft 365 Copilot adoption by providing expert guidance, self‑service resources, and structured engagements at no additional cost.

If your adoption program could use a boost, FastTrack can help.

Visit the Microsoft 365 Accelerator site for Copilot quickstart guides, governance templates, and adoption kits—or submit a request for personalized deployment and change management assistance (RFA) from FastTrack today.

The Copilot resource guide to share with your employees

JulieHersum — Thu, 19 Feb 2026 20:01:33 GMT

From customers driving Microsoft Copilot adoption, one request we hear a lot is: “Can you send me to a simple starting place?”

Now we can. Essential Copilot resource hubs for employees is a trusted, easy-to-share guide that rounds up key Microsoft-owned Copilot learning and support hubs. It's designed to help you speed up Copilot onboarding and get your employees building good habits from day one.

How to use it with end users

Adoption leaders: Use the hubs to structure learning paths (new user onboarding, prompting basics, role-based scenarios) and reinforce them in champions and community programs.
IT admins: Add a link to the guide in your rollout emails, intranet, and helpdesk macros so employees have a consistent “start here” link.
Everyone: Share this as one source of truth, then keep your internal guidance focused on what’s unique to your organization (policies, approved use cases, and where to get help).

For more information about this simple approach that scales, read the guide: Essential Copilot resource hubs for employees

Need help?

FastTrack helps eligible customers with Microsoft 365 Copilot adoption by providing expert guidance, self‑service resources, and structured engagements at no additional cost.

If your adoption program could use a boost, visit the Microsoft 365 Accelerator site for Copilot quickstart guides, governance templates, and adoption kits. Or, submit a request for personalized deployment and change management assistance (RFA) from FastTrack today.

Intermittent Delay in Loading Files Tab in Microsoft Teams Channels

dicknoort715 — Thu, 09 Oct 2025 13:20:31 GMT

Description:

Within our municipality, we are experiencing an intermittent issue where the Files tab in Microsoft Teams channels takes >5 seconds to load. This behavior appears to be random and is not tied to specific users, devices, or locations. We have conducted several internal checks and can confirm the following:

The issue occurs in both small and large Teams channels, regardless of the number of files or folders.
It affects various Surface laptops, so it does not appear to be device-specific.
It happens both inside and outside our municipal buildings, ruling out local network dependency.
We exclusively use Microsoft products, including Surface devices, Microsoft Defender, and Intune for device management.

We would like to know:

Is this a known issue within Microsoft Teams?
Are there specific tenant-level settings or Intune configurations that could influence the performance of the Files tab?
Are there any recommended diagnostics or optimizations we can apply to improve consistency?

We appreciate any guidance or insights you can provide.

Kind regards,
Dick Noort
Advisor Information Services

Ready to accelerate your Zero Trust journey? Discover what’s next

JulieHersum — Fri, 03 Oct 2025 16:40:32 GMT

For admins | 1-minute read

Zero Trust isn’t just a security buzzword—it’s the new baseline for protecting your organization in a world where threats are always evolving.

But what does it really take to move from strategy to action?

Find out by reading our recent blog, Accelerate your Zero Trust journey: Using the Microsoft Zero Trust workshop for impact on the M365 Accelerator site. In it, we break down some of the real-world challenges IT admins face and show how this hands-on workshop can help you build a clear roadmap forward.

For example, learn how you can use the workshop to:

Assess and improve your security posture by evaluating your organization’s current security maturity across six critical Zero Trust pillars (Identity, Devices, Data, Network, Infrastructure, Security Operations), identify gaps, and prioritize actions for improvement.

Drive cross-team alignment and executive buy-in by bringing together stakeholders from security, infrastructure, networking, and compliance for communication, consensus building, and creating a data-driven roadmap that resonates with leadership.

Turn security strategy into actionable results with practical steps for leveraging the Zero Trust Workshop to transform security from a reactive task into a proactive, strategic advantage for your organization.

Next steps

Ready to move beyond theory and see how Microsoft’s approach can help you secure identities, apps, and data?

Then Accelerate your Zero Trust journey is your next must-read.

Get the full story and workshop details here.

Governing Copilot agents: Your next step starts here

JulieHersum — Fri, 22 Aug 2025 23:42:47 GMT

For those of you navigating this shift, Rob Howard, Microsoft’s VP of Product Management for Microsoft 365 Copilot Extensibility, offers a practical governance framework in his article, What IT admins need to know about governing AI agents.

The article introduces three key governance pillars:

Security controls using Microsoft Purview.
Management controls through admin centers and deployment planning.
Agent reporting to monitor usage and stay ahead of compliance.

You’ll also get a first look at governance zones—a planning model to help segment Copilot deployment based on your organization’s risk tolerance and data sensitivity. Think sandbox, controlled, and trusted zones, with guidance on how to phase rollout.

What else you’ll find:

A checklist to assess your readiness.
Real-world examples of phased deployment.
Links to tools you already use, like Purview, Power Platform admin center, and Microsoft 365 admin center.
A preview of the upcoming white paper and webinar.

Next Steps

Ready to securely and strategically lead your organization into the future of AI?

Read Rob’s blog today for reliable advice on governing Copilot agents. It’s part of a broader initiative by FastTrack for Microsoft 365 to support IT admins with actionable, admin-relevant content on governing Copilot AI agents—so stay tuned for future articles, webinars, and more on the topic!

Bring AI out of the shadows with agents for Microsoft 365 Copilot Chat

JulieHersum — Mon, 30 Jun 2025 22:17:46 GMT

For IT admins and Microsoft 365 admins
7-minute read

Overview

Shadow AI is almost certainly happening across your organization—whether you can see it or not. Employees are using tools like ChatGPT and Notion AI to get work done, even without organizational knowledge or approval. This creates real risks like data leakage, compliance violations, and a lack of visibility into how employees are using artificial intelligence.

Fortunately, IT admins are in a unique position to fix the problem at its core.

Today's article is intended to be a practical playbook for helping IT admins lead the charge toward responsible AI use in their organizations by empowering secure, compliant, and easy-to-manage agents for Microsoft 365 Copilot Chat.

What is shadow AI?

Like shadow IT, the term ‘shadow AI’ exists for a reason: it refers to unsanctioned, often hidden, use of AI tools.

In the shadows, artificial intelligence can be hard to detect and even harder to govern. Tools can be browser-based, embedded in SaaS apps, or used on personal devices. Controls that mitigate shadow IT—like app blocking or firewall rules—don’t necessarily translate to AI use.

Both shadow IT and shadow AI involve technical and behavioral elements, however unauthorized use of AI presents deeper behavioral challenges beyond unauthorized tools. These challenges center around how users make decisions and potentially bypass governance in ways that are harder to detect and control.

While employees may not want to go rogue or bypass IT—and they generally don’t want to put the organization at risk—they do want to get their work done efficiently. They turn to public AI tools when they can’t find the capabilities they need inside the tools they have permission to use.

Agents for Microsoft 365 Copilot Chat give you a way to lead AI use into the light and meet your users’ needs with modern AI business tools. By building and deploying task-specific, data-grounded chat experiences that live inside Microsoft 365, users get fast, relevant answers they’re looking for without having to step into the shadows and leave the secure environment you manage.

These agents are part of the broader Microsoft 365 Copilot ecosystem and are designed to automate and execute business processes directly within Copilot Chat.

Should you ignore or even allow shadow AI?

When employees use public AI tools without oversight, they create risks that are harder to detect, harder to govern, and harder to reverse.

For IT admins, the stakes are high for operational, security, and technical risks:

Loss of visibility and control: You can’t protect what you can’t see.

- Shadow AI obscures oversight. It’s harder to track usage or enforce policies for tools used outside your environment.

- No centralized monitoring = no control. Without a unified view, you can’t troubleshoot issues, optimize usage, or step in when something goes wrong.
- Shadow data silos emerge. Generative AI content created outside your tenant isn’t retained or governed, which complicates lifecycle management, legal holds, and compliance requests.

Security and compliance risks

- Enterprise-grade protections are lacking. Most public AI tools don’t support conditional access, audit logs, or data loss prevention (DLP) policies, leaving you with blind spots and increased risk of data leaks.

- Sensitive data exposure. Employees may unknowingly input proprietary or regulated data into public models, risking violations of GDPR, HIPAA, or internal policies.
- Compliance gaps. If tools aren’t tracked or documented, they increase the burden of proving compliance and can become major liabilities during audits or regulatory reviews.

IT and governance challenges

- IT is out of the loop. Adoption of unauthorized AI tools sidelines IT, preventing teams from recommending secure, supported alternatives or aligning tools with organizational standards. When users go rogue with AI tools, they aren't using recommended secure, supported options that align with your environment and policies.
- Tool sprawl = more support tickets. Unapproved tools often lack integration with existing systems, creating support burdens and increasing the risk of misconfigurations.

Bottom line: Allowing or ignoring shadow AI will make it much harder to manage later. That’s why Copilot Chat agents, combined with strong governance and user education, are such a powerful response: they give you a way to meet end user demand without losing control.

What IT admins are up against

When it comes to eradicating rogue AI, admins have their work cut out for them. Here’s a summary table of how activating Copilot Chat agents at your organization can help stem the tide:

Unsanctioned AI use contributes to:	How to stem the problem:
Loss of visibility and control Employees use unsanctioned AI tools.	Reframe shadow AI as a signal Offer sanctioned tools that meet user needs and bring AI usage into the light.
Data governance gaps Unapproved tools bypass DLP and compliance policies.	Keep data in your tenant Copilot agents respect Microsoft 365 compliance, identity, and data boundaries.
Inconsistent AI use across teams Different tools create fragmented workflows.	Centralize AI access Deploy agents across Teams and Microsoft 365 to unify usage.
Security and compliance risks Shadow tools may not meet regulatory standards.	Use enterprise-grade protection Copilot agents are authenticated with Azure AD and governed by Microsoft Purview.
Lack of deployment clarity Admins may not know where to start.	Follow a clear blueprint This blog outlines steps for setup, governance, and scaling.
Missed innovation opportunities IT is seen as a blocker, not a partner.	Support safe innovation Let business units build AI chat agents with IT guardrails in place.

Copilot Chat agents remove the roadblocks to getting value from AI

Microsoft's chat agents aren’t just another AI tool—they’re designed to work the way IT works.

Secure by design: Agents run inside your Microsoft 365 tenant and authenticate through Azure AD.
Compliant by default: They respect DLP and audit policies and retention through Microsoft Purview.
Customizable and governable: You can define access, data sources, and usage policies.
Easy to deploy: Agents live inside Teams and Microsoft apps, so users don’t need to install anything new.

Copilot Chat agents strengthen governance

While Copilot for Microsoft 365 helps users work more efficiently inside apps like Word, Excel, and Teams, Copilot's AI agents go a step further. They give IT the ability to create task-specific, role-based, and data-grounded AI experiences that directly replace the kinds of tools employees might otherwise seek out on their own.

Key deployment benefits for IT admins

Benefit	Impact
Visibility	Know who’s using AI, how, and with what data.
Control	Define and enforce usage policies.
Compliance	Align AI use with regulatory standards.
Efficiency	Reduce support tickets with self-service agents.
Innovation	Empower business units without losing oversight.

Take the next step

Like shadow IT, you may not get rid of shadow AI completely or overnight. But you can meet it head-on with tools that work for your users and comply with your policies.

Start by deploying a few AI Chat agents in high-impact areas. Use the resources in this article to guide your rollout.

With Copilot Chat agents, you’re not just solving a technical problem. You’re leading your organization toward safer, smarter AI adoption.

Tools that make it easier

When it comes to Microsoft 365 deployments, you’re never alone. FastTrack for Microsoft 365 offers a full set of resources to help you learn about, build, manage, and instruct end users on Copilot Chat agents:

Credentialed access, sign in required:

Microsoft 365 advanced deployment guides and assistance
Microsoft 365 Copilot onboarding hub
Microsoft 365 Copilot: Quickstart, Copilot Chat licensing

Open access, no sign-in required:

Get started with Microsoft 365 Copilot extensibility
Microsoft 365 Copilot ADG: Streamlining your Copilot journey (video)
Copilot Chat Success Kit – Microsoft Adoption
Microsoft Copilot AI setup and usage guides
AI in business: Artificial intelligence tools & solutions (blog)
Request assistance from FastTrack

Deployment blueprint: Get started today

Remember: You don’t need to roll out everything at once. Start small, build momentum, and scale responsibly.

Here’s a blueprint that will get you to the finish line:

Copilot Chat agent deployment checklist

Step 1: Prepare your environment

☐ Set up Copilot Studio and review licensing.

☐ Create Power Platform environments that reflect your data boundaries and governance needs.

☐ Identify early declarative agent use cases (e.g., HR FAQs, IT help desk).

Note: Only declarative agents are currently supported in Copilot Chat. Agents that access tenant data (e.g., SharePoint, Graph) require pay-as-you-go billing.

Step 2: Define governance policies

☐ Use role-based access control (RBAC) to manage who can create, publish, and use agents.

☐ Apply naming conventions, approval workflows, and publishing guidelines.

☐ Set up guardrails for data access, agent behavior, and knowledge sources.

☐ Assign maker permissions via Microsoft Entra groups or Copilot Studio user licenses.

Step 3: Deploy and monitor

☐ Use the Microsoft admin center and Power Platform admin center to manage billing and access.

☐ Monitor usage with audit logs, analytics, and the Copilot Control System.

☐ Identify which teams are still using unauthorized AI tools and guide them toward approved Copilot agents.

Step 4: Support and scale

☐ Offer training, templates, and office hours to support agent creators and users.

☐ Establish a Center of Excellence (CoE) to share best practices and governance.

☐ Highlight successful use cases to drive adoption and build momentum.

☐ Encourage feedback loops to refine agent behavior and expand scenarios.

Shadow AI prevention checklist

What else should you do to discourage shadow AI? Here's a handy checklist of actions to take:

Data protection

☐ Apply Microsoft Purview DLP policies to monitor and restrict sensitive data.

☐ Use sensitivity labels and encryption to protect data at rest and in transit.

☐ Set up conditional access policies to limit AI tool usage by role, device, or location.

Acceptable use

☐ Publish clear guidance on approved AI tools and data usage.

☐ Include AI-specific clauses in acceptable use and security policies.

☐ Reinforce policies through onboarding, training, and regular reminders.

Monitoring and detection

☐ Use Microsoft Defender for Cloud Apps (MCAS) to detect unsanctioned AI usage.

☐ Analyze browser traffic and app usage patterns for high-risk behavior.

☐ Set up alerts for uploads to known AI endpoints (e.g., ChatGPT, Claude).

Education and empowerment

☐ Run awareness campaigns about shadow AI risks and approved alternatives.

☐ Offer training on how to use Copilot and Copilot Chat agents effectively.

☐ Create a feedback loop for users to request new AI capabilities.

Internal partnerships

☐ Collaborate with HR, legal, and other teams to understand AI needs.

☐ Support business units in building Copilot Chat agents with IT oversight.

☐ Use shadow AI behavior as a signal for unmet needs and prioritize accordingly.

Governance alignment

☐ Align Copilot deployment with your organization’s responsible AI principles.

☐ Document how Copilot Chat agents support ethical and regulatory standards.

☐ Use audit logs and analytics to support transparency and accountability.

Driving adoption and measuring impact with the Microsoft 365 Copilot Dashboard

JulieHersum — Thu, 29 May 2025 18:35:37 GMT

Since 2023, nearly 70% of Fortune 500 companies have integrated Microsoft 365 Copilot’s advanced AI into their daily workflows, unlocking new efficiencies and streamlining collaboration—and they’re seeing measurable business impact.

For example, Vodafone discovered employees who use Copilot save an average of 3 hours per week, reclaiming 10% of their workweek. Lumen Technologies estimates that using Copilot will help their sales teams save $50 million per year.

These are game-changing outcomes. But how do these companies know their numbers are accurate? And how did they achieve them? The key to maximizing the value of AI-driven productivity tools is more than simply licensing your end users and waiting for them to make the most of it. In fact, the key lies in measuring its impact.

To drive meaningful adoption and maximize ROI with Microsoft 365 Copilot, organizational leaders need clear visibility into how their workforces are using it. This means understanding:

Who’s adopting AI with Copilot.
How effectively is Copilot supporting workflows.
What measurable productivity gains are users achieving.

In this article, business leaders and IT can learn more about the Microsoft 365 Copilot dashboard, including its key features and core metrics.

We'll also go over IT's tasks for configuring the dashboard and granting access to business leaders so they can analyze Copilot usage patterns themselves, refine their Copilot engagement strategies, and help drive productivity gains in their teams and throughout the organization.

What is the Copilot Dashboard?

The Microsoft Copilot Dashboard is a tool in Viva Insights that helps IT, business leaders, change managers, and other non-technical stakeholders track usage of Microsoft 365 Copilot with practical insights they can use to:

Prepare users to work effectively with AI
Drive Copilot adoption across teams
Measure impact on workplace behavior

Key features and core metrics of the Copilot Dashboard

With a Viva Insights license, your unlock advanced dashboard features, including:

Comprehensive Metrics

A 28-day aggregated view of Copilot usage, adoption, readiness, and impact, to help you understand engagement and Copilot business value.

Readiness tracking

Based on Microsoft 365 app usage patterns, these metrics can help you identify which teams are ready to adopt AI into their daily workflows and which may need additional support, training or upskilling.

Adoption insights

With adoption insights, dashboard users can track active Copilot usage patterns within each Microsoft 365 app to measure how effectively teams are integrating Copilot into workflows. They can also pinpoint areas where Copilot users may need training or support to maximize productivity. By default, the dashboard’s Adoption trendline shows the prior six-month trend for all users in the organization. You can adjust filters at the top of the page for specific groups.

Impact analysis

This insight allows you to analyze how often employees in your organization use Copilot during a specified time period. Leaders can also measure productivity gains through metrics like meeting efficiency, email usage, and document collaboration.

Advanced tools, such as before-and-after behavioral data and employee surveys, can reveal early and even deeper insights into Copilot’s organizational impact.

Learning opportunities

Use qualitative feedback data from Copilot impact pulse surveys to identify Copilot satisfaction levels, challenges, and areas for improvement.

For example, you can compare high-adoption teams with low-adoption ones to uncover training or awareness gaps.

Managing the Copilot Dashboard: Key admin responsibilities

Global admins play a critical role in configuring and managing the Copilot Dashboard.

Their roles include:

Setting up and configuring the Copilot Dashboard.
Granting access and supporting business stakeholders.
Integrating data.

1. Setting up and configuring the Microsoft 365 Copilot Dashboard

Global IT admins are responsible for setting up and configuring the Copilot Dashboard to align with organizational goals and requirements. This includes managing settings and turning features on and off as needed.

2. Granting access and supporting business stakeholders

Admins, you'll also need to assign permissions to specific leaders, stakeholders, or groups through the Microsoft 365 admin center or PowerShell. Make sure stakeholders in different roles have the correct permissions.

You'll also play a critical role in supporting and troubleshooting issues that users might encounter, such as technical problems and related assistance.

Who should have access to the Copilot Dashboard?

Business leaders

You can view engagement and adoption metrics directly and make informed decisions about how best to guide users on adopting Copilot.

Department heads

You'll want to monitor how your teams are using Copilot and identify areas for improvement.

IT managers

You'll need to oversee the technical aspects of Copilot deployment and ensure smooth operations.

HR Managers

Track employee sentiment and impact metrics for workforce planning and development.

How do admins grant access to the Copilot Dashboard?

You can delegate and manage access for individuals or groups to the dashboard in two different ways:

1. The Microsoft 365 admin center

Access the Copilot Dashboard here or
Sign in to Microsoft 365 admin center
Navigate to the Settings tab
Select Setup
Go to the Copilot Dashboard to Manage access settings. From there you can search for and select users to grant or revoke access.

Manage access for groups by selecting the Groups option, searching for Entra ID groups, and adding or removing users as needed.

2. PowerShell

Viva Insights admins can delegate access to organizational insights and the Copilot Dashboard using PowerShell.

Set policies to enable or disable access to the dashboard at the tenant level using PowerShell cmdlets. This method gives you more granular control. Use it to manage access for larger groups or the entire organization.

Note: You can only delegate access to users with a Viva Insights license. Viva Insights is available as part of the Microsoft Viva Suite or as a standalone add-on to Microsoft 365 enterprise plans.

How do business stakeholders access the Copilot Dashboard?

Business stakeholders, you can access the Microsoft 365 Copilot Dashboard through your Teams Viva Insights app.

3. Integrating organizational data into the dashboard

Admins will upload organizational data directly through the admin center and configure it for analysis. If both the Viva Insights admin and the Global admin upload data, the dashboard will merge these uploads and display insights based on the most recent data.

Empowering business stakeholders with insights they can act on

Microsoft 365 Copilot is transforming productivity, and metrics powered by Viva Insights are proving its impact to the world.

Access the Copilot Dashboard today for yourself and unlock Copilot’s full potential for driving organizational success.

Learn more

For more information on connecting to the Copilot Dashboard for Microsoft 365 customers, watch our recent video, AI Transformation: Maximize the value of Copilot with Copilot Dashboard and check out our article: Connect to the Microsoft Copilot Dashboard for Microsoft 365 customers | Microsoft Learn.

Need more assistance? FastTrack is here to help!

FastTrack is available to support customers with eligible licenses. Request assistance from FastTrack today or contact your assigned FastTrack Architect (FTA).

Azure Firewall and Service Endpoints

cloudtrooper — Mon, 14 Apr 2025 11:48:33 GMT

In my recent blog series Private Link reality bites I briefly mentioned the possibility of inspecting Service Endpoints with Azure Firewall, and many have asked for more details on that configuration. Here we go!

First things first: what the heck am I talking about? Most Azure services such as Azure Storage, Azure SQL and many others can be accessed directly over the public Internet. However, there are two alternatives to access those services over Microsoft's backbone: Private Link and VNet Service Endpoints. Microsoft's overall recommendation is using private link, but some organizations prefer leveraging service endpoints. Feel free to read this post on a comparison of the two.

You might want to inspect traffic to Azure services with network firewalls, even if that traffic is leveraging service endpoints. Before doing so, please consider that sending high-bandwidth traffic through a firewall might have cost implications and impact on the overall application latency. If you still want to go ahead, this post is going to explain how to do it.

The Design

Service endpoints have two configuration parts:

Source subnet configuration to tunnel traffic to the destination service.
Destination service configuration to accept traffic from the source subnet.

The key concept to understand is that if traffic from the client is going to be inspected by a firewall before going to the Azure service, then the source subnet is actually the Azure Firewall's subnet, not the original client's subnet:

You can configure service endpoints for a specific Azure service on a subnet using the portal, Terraform, Bicep, PowerShell or the Azure CLI. In the portal this is what it looks like:

For Azure CLI, enabling service endpoints for Azure Storage accounts in all regions would look like this:

❯ subnet_name=AzureFirewallSubnet
❯ az network vnet subnet update -n $subnet_name --vnet-name $vnet_name -g $rg --service-endpoints Microsoft.Storage.Global -o none --only-show-errors

You would then configure your Azure services to accept traffic coming from the Azure Firewall subnet. For example, for Azure Storage Accounts this is what you would see in the portal:

Network Rules or Application Rules?

Ideally you should use Application Rules in your firewall to make sure that your workloads are accessing the right Azure services, and not exfiltrating data to rogue data services that might be owned by somebody else and still could have the same IP address.

This is an example of a star rule granting access to all Azure Storage Accounts, but you should specify your own:

I tested with two storage accounts, one in the same region and another one in a different region than the client (the client being in this case the Azure Firewall). Access to both storage accounts is working, and as you can see both accesses are logged in the Storage Account as well as in the Azure Firewall (I have removed some characters from the storage account names to obfuscate them):

❯ ssh $vm_pip "curl -s4 $storage_blob_fqdn1"
Hello world! 
❯ ssh $vm_pip "curl -s4 $storage_blob_fqdn2"
Hello world!
❯ query='StorageBlobLogs | where TimeGenerated > ago(15m) | project AccountName, StatusCode, CallerIpAddress'
❯ az monitor log-analytics query -w $logws_customerid --analytics-query $query -o table
AccountName              CallerIpAddress     StatusCode  
----------------------   -----------------   ----------
storagetest????eastus2   10.13.76.72:10066   200
storagetest????westus2   10.13.76.72:11880   200
❯ query='AzureDiagnostics | where TimeGenerated > ago(15m) | where Category == "AZFWApplicationRule" | project SourceIP, Fqdn_s, Protocol_s, Action_s' 
❯ az monitor log-analytics query -w $logws_customerid --analytics-query $query -o table 
Action_s  Fqdn_s                                       Protocol_s SourceIP
--------- -------------------------------------------- ---------- ----------
Allow     storagetest????eastus2.blob.core.windows.net HTTPS      10.13.76.4 
Allow     storagetest????westus2.blob.core.windows.net HTTPS      10.13.76.4

The storage account sees as client IP the Azure Firewall's IP (in the subnet 10.13.76.64/26), and the Azure Firewall logs show the actual client IP (in the workload subnet 10.13.76.0/26).

If you use network rules you would lose a lot of the flexibility of the Azure Firewall, even if using FQDN-based rules. The reason is that if there were 2 storage accounts with different FQDNs sharing the same IP address, and the same client resolves both FQDNs, when Azure Firewall looks at the packet it will not be able to guess to which storage account each specific packet belongs to. From a routing perspective it would still work though, as long as you have the default SNAT settings of Azure Firewall, which involves translating the IP address when public IP addresses are involved:

Conclusion

There are some reasons why you might want to pick VNet service endpoints over private link (cost would probably be one of them). If so, there are advantages and disadvantages of sending traffic to Azure services via a firewall. If you decide to inspect traffic to VNet service endpoints with Azure Firewall, hopefully this post has shown you how to do that.

What are your thoughts about this?

Google Workspace migration to Microsoft 365 with multiple domains

ep_green — Thu, 03 Apr 2025 12:29:44 GMT

I'm managing a project to migrate mail from Google Workspace to Microsoft 365 via (Google Workspace Migration).

My scenario is composed as follows:

Primary domain in GWS: domain1.com

Secondary domain in GWS: domain2.com

Routing domain (alias domain) in GWS: m365.domain1.com and gws.domain1.com

Microsoft side: accepted domain: domain1.com,domain2.com, m365.domain1.com and gws.domain1.com

Users domain1.com have aliases routing domain m365.domain1.com and external forwarding gws.domain2.com.

Users domain2.com have aliases routing domain m365.domain1.com and external forwarding gws.domain1.com.

For users domain1.com the hybrid coexistence scenario, mailflow and batch work perfectly.

For domain2.com users, the batch works, but at the time of completion, it returns an error that Google asks for verification of the forwarding address, as it is different from domain2.com.

“GmailForwardingAddressRequiresVerificationException”

Which configuration am I doing wrong?

And above all, is the scenario in question supported?

Thank you

Deploy Microsoft Defender XDR today and start protecting your entire digital estate

JulieHersum — Mon, 31 Mar 2025 18:22:33 GMT

The average organization now hosts 351 exploitable attack pathways, says Microsoft’s 2024 State of Multicloud Security Risk Report¹, so it’s no wonder leaders across sectors are calling for enhanced protection of high-value assets within applications, email, endpoints, identity, and more.

But deploying a comprehensive security solution like Microsoft Defender XDR can be a big lift, especially in organizations using legacy systems or a mix of third-party tools. Complex integrations and configurations combined with common issues like limited staffing resources can further delay or even prevent full product implementation.

Fortunately, FastTrack for Microsoft 365 is ready to help streamline your security product deployment and today we’ll explain how.

In this blog, you’ll learn:

Why Microsoft Defender platform adds value beyond security.
How to deploy Microsoft Defender efficiently and securely using Microsoft admin center advanced deployment guides.
Answers to FAQs.

Microsoft Defender: The industry leading², XDR solution with added value

Microsoft Defender protects your entire organization with a unified security platform that consolidates multiple security functions (e.g., endpoint, identity, cloud security) under a single tool.

This comprehensive coverage creates overlapping security, which strengthens overall security and helps reduce workloads for security and IT teams.

And while in some cases, transitioning security systems can create vulnerabilities in the short term, FastTrack engineers at Microsoft have solved for this by providing incremental security coverage as you wind down third-party point solutions. We’ll describe this in more detail later on but first let’s go over the Microsoft Defender platform.

The Microsoft Defender platform:

Microsoft Defender for Endpoint

Helps prevent, detect, investigate, and respond to advanced threats with next-gen antivirus, endpoint detection response (EDR), automated investigation, and prioritized remediation capabilities. Microsoft Defender for Endpoint setup guide

Microsoft Defender for Office 365

Protects email and collaboration tools like SharePoint, OneDrive, and Microsoft Teams against advanced threats, i.e., phishing, business email compromise, and malware attacks. Microsoft Defender for Office 365 setup guide

Microsoft Defender for Identity

Protects on-premises Active Directory from targeted attacks with signals that identify, detect, and investigate compromised identities and malicious insider actions.

Microsoft Defender for Identity setup guide

Microsoft Defender for Cloud Apps

A Cloud Access Security Broker (CASB) that uses rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across cloud services. Gain visibility into Shadow IT, discover cloud apps in use, control and protect data within apps, and detect and respond to threats across all potential threat vectors.

Microsoft Defender for Cloud Apps setup guide

Microsoft Defender XDR, powered by AI, integrates seamlessly with other Microsoft 365 products and security tools

Seamless integration provides for stronger, more consistent, automated security across the entire software ecosystem. For example:

Microsoft Defender is embedded with Microsoft Sentinel

Microsoft Sentinel is a new FastTrack offering. It’s a very powerful cloud-native, AI-powered security information and event management (SIEM) solution that helps teams address top cyberthreats, including ransomware attacks, by:

Enriching data with machine learning: Sentinel employs machine learning to enrich data with Microsoft's threat intelligence, the secret ingredient that fuels capabilities, including threat hunting, detecting, investigating, and responding to threats across an ecosystem.
Reducing “alert fatigue”: Sentinel filters through billions of signals, correlates them into alerts and incidents, and even prioritizes incidents. This allows for more efficient and cost-effective remediation strategies and reduced alert fatigue for SOC teams.

Microsoft Defender integrates with Azure’s Microsoft Defender for Cloud

Microsoft Defender for Cloud is a cloud-native application protection platform (CNAPP) that secures full-stack workloads, end to end, across Amazon Web Services, Google Cloud Platform, and Azure Cloud Services with constant cyberthreat monitoring at the code level.

How to deploy Microsoft Defender security products efficiently and securely

Because each organization’s deployment scenario will be as unique as the organization itself, Microsoft engineers designed Defender to be highly customizable and able to accommodate a variety of different scenarios. However, no one should let complexities surrounding custom configurations delay deployment.

FastTrack for Microsoft 365 is here to help

With a variety of self-serve resources, detailed documentation, automated, step-by-step deployment guides, and even one-on-one assistance (with an eligible license), FastTrack can help you reduce complexity and get your Microsoft Defender products up-and-running quickly.

Here’s how to start:

1. Visit the Microsoft 365 Setup site

Regardless of license status or credentials, start your journey at the Microsoft 365 Setup site for open, self-service access to detailed setup guides, on-demand videos, and helpful blogs to plan secure and efficient Microsoft Defender deployment workloads.

2. Sign in to the Microsoft admin center

Once your organization owns a license and you’re ready to deploy, sign in to the Microsoft admin center and access Microsoft Defender advanced deployment and setup guides.

3. Deploy using Microsoft Defender advance deployment guides

Start with zero trust

These streamlined, automated guides combine detailed documentation with stateful personalization, so you know you’re following the right instructions for your organization’s scenario. The step-by-step instructions also lead you through the correct order of operations so you can be confident you’re setting up each Microsoft Defender solution correctly, from beginning to end.

Microsoft Defender setup guides: What to expect once you get there

Each Microsoft Defender setup guide follows a similar pattern.

They begin with an Overview, describing foundational prerequisites and Requirements, then have you identify your organization’s particular Scenario and goals, before walking you through your recommended Deployment and Configuration steps based on your scenario and Microsoft’s best practices.

Let’s walk through the Microsoft Defender for Endpoint guide as an example:

Microsoft Defender for Endpoint setup guide

Arrive at Overview (see above) to learn more about the Defender setup guide and watch a short video.
Follow the subway navigation and review Microsoft Defender for Endpoint’s minimum setup requirements‎ to make sure you’re ready for a secure setup experience before you begin.
At Scenario, identify your organization’s current security situation and your goals, for example:

- Do you already have an endpoint security solution in place?
- Would you like to see how Defender for Endpoint works before rolling it out?
- Do you want help designing configurations?

At Deployment, find Microsoft’s recommended next steps based on your Scenario. These steps include:

- Preparation: Key points to consider as you prepare for migration.
- Setup: Guidance on which specific steps you should carry out next.
- Onboarding to your tenant: Advice on how to onboard while protecting other platforms in your environment.

5. Lastly, Configuration is where you’ll configure various settings and learn more about:

- Attack surface reduction
- Mobile threat defense
- Next-generation protection
- Auto remediation and investigation
- Microsoft Secure Score
- Endpoint detection and response
- Threat and vulnerability management

Frequently asked questions

Transitioning to or implementing a new security suite can be tricky. However, Microsoft Defender setup guides have been designed to eliminate as much risk and friction as possible from the deployment process. They also do a great job of anticipating and addressing questions admins frequently ask. Here are a few frequently asked questions and answers:

How do I securely migrate to Microsoft Defender for Office 365?
- Read this Learn article to understand securely migrating from a third-party protection service or device to ‎Microsoft Defender for Office 365‎.
How should I deal with urgent security incident response issues?
- Get a better understanding of the complex threats affecting your organization. Subscribers to Defender Experts for Hunting can engage with their own security incident response teams to address urgent security incident response issues.
Where can I go to learn how to fix onboarding issues myself?

4. Does Microsoft offer training for Microsoft Defender?

- Yes! To get started with Microsoft Defender training, browse the list of learning paths, and filter by product, role, level, and subject.

Need additional assistance?

Whether you have a few questions or want assistance with deployment of your entire Microsoft Defender suite, FastTrack Engineers and Partners are ready to help. Eligible customers can request direct, remote assistance from FastTrack for Microsoft 365.

[1] Microsoft’s 2024 State of Multicloud Security Report

[2] Microsoft Defender was named an XDR leader in The Forrester Wave: XDR platforms, Q2 2024, receiving top scores in 15 of 22 criteria, including Endpoint Detection, Threat Hunting, and Innovation.

EFZ4 BAD Request is throttled

AdminOK — Thu, 13 Mar 2025 06:56:24 GMT

Hi,

We recently migrated to Microsoft 365, and we have an application called KEO, which downloads emails for its internal functionality. However, the application is now displaying an error:

"EFZ4 BAD Request is throttled. Wait XXXXX ms"

Is there a way to fix this issue, or what steps should we take to resolve it?

Thank you

Litigation Hold Mailbox Migration

rschlager — Mon, 10 Mar 2025 13:01:14 GMT

My company is currently moving from Exchange 2016 to 365. We are currently setup in a hybrid environment. The question arose of how do we migrate mailboxes that are on litigation hold.

I have found that you can do a migration of the lit hold mailboxes from on-prem to 365 without any issues per this document - https://learn.microsoft.com/en-us/exchange/policy-and-compliance/holds/holds?view=exchserver-2016#migrating-mailboxes-on-hold-from-exchange-server-to-microsoft-365-or-office-365. However, what I can't seem to find is the best way to test a migration for a lit hold mailbox. I also have found that some of our lit hold mailboxes have been on hold so long that their mailboxes are on Exchange version 0.10.

So, I really have 2 questions.

1) How can I test migrating a lit hold mailbox from on prem to 365 without using an active person's mailbox?

2) Does the Exchange Version for the mailbox matter when I migrate them?

Any help would be much appreciated.

The future of Microsoft 365 deployment: Microsoft 365 Setup Expert

JulieHersum — Fri, 07 Mar 2025 20:45:21 GMT

Are you an IT professional, a business or technical decision-maker, or stakeholder involved with managing Microsoft 365 environments? If so, you need quick and reliable access to setup and deployment information. Now you have that access at your fingertips with Microsoft 365 Setup Expert. Read below for more details or check out the full blog post here.

What is Microsoft 365 Setup Expert?

Microsoft 365 Setup Expert is an innovative, AI-powered solution that helps IT, BDMS, TDMs, and related stakeholders streamline their Microsoft 365 setup and deployment workloads.

Developed by FastTrack engineers, this tool responds to queries with the information you need to make informed decisions about product purchases, licensing, deployment, and troubleshooting.

Advantages of Using Setup Expert

Setup Expert delivers essential insights for navigating Microsoft 365 setup workflows with confidence, regardless of your job role or credentials.

Key Features

Prepurchase guidance: Evaluate different Microsoft 365 solutions, compare licensing options, and get recommendations for compliance, remote work, and security scenarios.
Post-purchase support: Plan product rollouts, deploy advanced features, troubleshoot issues, and scale deployments based on organizational needs.
Reliable information: Sourced from official Microsoft channels, ensuring accuracy and relevance.
Role-based responses: Tailored insights for both technical and non-technical users.

Real-World Applications

Whether you're planning a new deployment or managing an existing environment, Microsoft 365 Setup Expert can help you:

Simplify and expedite deployments
Reduce reliance on credentialed admins
Foster collaboration across roles
Streamline procurement decisions

Learn more about Microsoft 365 Setup Expert

Dive deeper into how Setup Expert can transform your setup processes in the full blog post at the Setup site.

Find Setup Expert at setup.cloud.microsoft and start leading your organization through smarter, faster, and more collaborative deployments today!

rss.livelink.threads-in-node

Azure Availability Zone Mapping and VM Resilience Analysis Guidance using SRE.AZURE.COM Agent

Overview

Why This Matters

Example

What SRE.Azure.com agent Enables

Suggested Prompt

Microsoft 365 Copilot on mobile: What staged rollout plans can miss

What we’re seeing: mobile changes the moments where Copilot shows up

Staged Copilot deployment ≠ staged usage

What to do: four areas that tend to matter most

Next step

Windows 365 for Agents: run AI agents in Cloud PCs across real applications

What’s changing?

Windows 365 for Agents introduces the right execution environment

Get started with Windows 365 for Agents

Deploying DNS Private Resolvers and Private DNS Zones for Azure AI Supported Services

Copilot agents are scaling faster than most organizations expected

When success creates a new problem

Why scale changes the conversation

A CIO‑level framework for deliberate scale

Copilot Chat in financial services: Is productivity moving faster than policy?

We'd like to know:

Modernizing On‑Prem File Servers: Azure Storage Mover and File Sync

Copilot adoption: Move your org from pilot to production with this guide

Did you know?

The Copilot resource guide to share with your employees

How to use it with end users

Need help?

Intermittent Delay in Loading Files Tab in Microsoft Teams Channels

Ready to accelerate your Zero Trust journey? Discover what’s next

Next steps

Governing Copilot agents: Your next step starts here

Next Steps

Bring AI out of the shadows with agents for Microsoft 365 Copilot Chat

What is shadow AI?

Should you ignore or even allow shadow AI?

What IT admins are up against

Copilot Chat agents remove the roadblocks to getting value from AI

Copilot Chat agents strengthen governance

Key deployment benefits for IT admins

Take the next step

Tools that make it easier

Deployment blueprint: Get started today

Copilot Chat agent deployment checklist

Shadow AI prevention checklist

Driving adoption and measuring impact with the Microsoft 365 Copilot Dashboard

What is the Copilot Dashboard?

Key features and core metrics of the Copilot Dashboard

Comprehensive Metrics

Readiness tracking

Adoption insights

Learning opportunities

Managing the Copilot Dashboard: Key admin responsibilities

1. Setting up and configuring the Microsoft 365 Copilot Dashboard

2. Granting access and supporting business stakeholders

Who should have access to the Copilot Dashboard?

Business leaders

Department heads

IT managers

HR Managers

How do admins grant access to the Copilot Dashboard?

1. The Microsoft 365 admin center

2. PowerShell

How do business stakeholders access the Copilot Dashboard?

3. Integrating organizational data into the dashboard

Empowering business stakeholders with insights they can act on

Learn more

Need more assistance? FastTrack is here to help!

Azure Firewall and Service Endpoints

The Design

Network Rules or Application Rules?

Conclusion

Google Workspace migration to Microsoft 365 with multiple domains

Deploy Microsoft Defender XDR today and start protecting your entire digital estate

Microsoft Defender: The industry leading2, XDR solution with added value

The Microsoft Defender platform:

Microsoft Defender XDR, powered by AI, integrates seamlessly with other Microsoft 365 products and security tools

Microsoft Defender is embedded with Microsoft Sentinel

Microsoft Defender integrates with Azure’s Microsoft Defender for Cloud

Microsoft Defender: The industry leading², XDR solution with added value