New blog articles in Microsoft Community Hub

Microsoft 365 E7 and Agent 365 are now generally available

carolinestanford — Fri, 01 May 2026 15:00:00 GMT

Frontier Transformation is about fundamentally changing how organizations operate – embedding AI into everyday workflows to accelerate decisions, improve outcomes, and drive measurable business impact. Achieving these benefits requires more than just access to powerful models. At Microsoft, we see transformations succeed only when two elements come together: Intelligence and Trust.

Microsoft 365 E7 is built to do exactly that – combining advanced AI capabilities with enterprise-grade security and governance so organizations can move beyond isolated pilots and deploy AI confidently at scale.

Today, Microsoft 365 E7 – the Frontier Suite – is generally available, offering a single, integrated solution that unifies intelligence and trust, so organizations can move from experimentation to enterprise-wide AI adoption.

Microsoft 365 E7 brings these capabilities together in one suite:

Microsoft 365 Copilot: AI built for work

Microsoft 365 E5: enterprise‑grade productivity, security, identity, and compliance

Microsoft Entra Suite: identity and network access controls that secure employee use of all apps and AI

Microsoft Agent 365: the control plane for governing, observing, and securing AI agents at scale

This integrated approach helps organizations confidently deploy AI and agents at scale while maintaining the security and compliance posture they need, using the enterprise-grade tools they trust from Microsoft.

With today’s general availability, customers can now purchase and deploy Microsoft 365 E7 across their organizations.

Agent 365 is now generally available

Today also marks the general availability of Microsoft Agent 365. Agent 365 is the control plane for agents, extending the visibility, control, and trust that organizations rely on for users to the agents they deploy. To learn more about Agent 365 and expanded capabilities we are announcing read the latest Blog here.

As agents become part of everyday work, Agent 365 provides a consistent way to:

Observe: Gain visibility into agents in your environment, understand how they’re used, and act quickly on performance, behavior, and risk signals before they impact the business.

Govern: Establish guardrails for agents and people, onboard agents with IT oversight, and govern agent access to resources and data. Be audit ready with built-in compliance and data retention.

Secure: Secure agent identities, control access to resources, prevent data oversharing and leaks, and defend against threats and vulnerabilities with enterprise-grade security solutions.

Agent 365 provides management and protection for agents built across platforms and runtimes, including SaaS, cloud, and local agents. Agent 365 also supports agents with both their own access and delegated access, helping to ensure a consistent approach across all agent scenarios.

Get started with Microsoft 365 E7 and Agent 365

At $99 per user per month, E7¹ is priced below purchasing these capabilities à la carte, giving customers a simpler, more cost-effective way to deploy enterprise AI at scale.

In addition to being included with Microsoft 365 E7, Agent 365 is available as a standalone license at $15 per user per month.

¹Microsoft 365 E7 is available with and without Teams.

Read related articles and resources:

Introducing the First Frontier Suite built on Intelligence + Trust

Powering Frontier Transformation with Copilot and agents

Partner Blog: Lead Frontier Transformation with Microsoft 365 E7, now generally available

Microsoft 365 Enterprise Webpage

Agent 365 Webpage

Agent 365 adoption resources and a Getting Started Guide are available at aka.ms/A365adoption

To discuss how Microsoft 365 E7 can meet your organization’s needs, please connect with your Microsoft representative or partner of choice.

What’s New in Agent 365: May 2026

alexpozin — Fri, 01 May 2026 15:00:00 GMT

By Alex Pozin, Samer Baroudi

As we celebrate the general availability of Agent 365, we’re sharing a closer look at the core capabilities that help organizations adopt agents at scale, responsibly and with speed. Agent 365 is built on three core value pillars: observe, govern, and secure, designed to give IT and security teams clear visibility, consistent controls, and enterprise-grade protection across your entire agent fleet. In this series, we’ll highlight new Agent 365 features and enhancements now and over the months ahead. Let’s dive deep into all the things you can do today.

Observe: Monitor and manage agents in real time

Agent 365 overview dashboard

The Agent 365 overview dashboard is your starting point for Agent 365 in the Microsoft 365 admin center. With the overview dashboard you gain a clear, real-time view of your agents fleet by surfacing key metrics such as total registered agents, active users, growth trends, connected platforms, total runtime in hours, and emerging risk signals. At a glance, admins can understand the scale, adoption, and overall risk posture of their agent fleet, while recommended actions highlight where attention is needed most, such as reviewing pending agent requests, assigning owners to unclaimed agents, or addressing agents with exceptions (e.g. errors in conversation). Deeper analytics enable exploration of who is building agents, which platforms are gaining traction, how adoption is trending over time, and which agents are most heavily used, helping organizations move from basic visibility to informed, proactive governance as their agent ecosystem grows. As we continue to enrich the overview dashboard based on your needs, use this surface to quickly assess the scale, health, and risk posture of your agent environment, and take prioritized actions to stay in control as adoption grows.

An image showing the Agent 365 overview page with tile cards displaying key metrics, top actions and agent analytics.

Registry

As organizations scale their use of agents, having a single, authoritative system of record for agents becomes foundational to visibility, control, and trust. Agent 365 provides a centralized and unified registry that serves as the system of record for agents in the organization. Each agent¹, including those built by Microsoft, your organization, or ecosystem partners, is detailed with a complete record enriched with metadata like its name, description, publisher, platform, ownership, availability and deployment status, permissions from the Microsoft Graph, data and tools access, security and compliance details, certifications, usage activity, and more, giving IT and security teams a full view and eliminating blind spots.

An image displaying the Agent 365 registry, showing a list view of agents, tile cards for agent counts, and filter/search navigation elements.

Map

The agents map view provides a visual graph of the agent ecosystem, organizing agents by platform into clear clusters and surfacing agent counts so admins can quickly understand the scale and composition of their environment. As you zoom in, the map reveals individual agents and, for a selected agent, visualizes its connections to other agents, making dependencies and relationships explicit as agent usage grows across Microsoft and third-party platforms. Together, these views help IT and security teams move beyond static lists to spot patterns, understand how agents interact, and maintain visibility as their agent landscape becomes more complex.

An image showing the map view of all agents in the organization clustered by platform

Agent-level activity

Agent‑level activity metrics give admins operational visibility into how each agent is running and being used across the organization. Metrics such as usage sessions, engagement trends, and active users, help admins assess agent usage and validate adoption. Additionally, by correlating activity with users and policy signals, teams can quickly assess unusual behavior, exception alerts, or misconfigurations. Exportable activity data enables deeper analysis and reporting.

An image showing a fictitious agent named Zava Alerting agent selected in the registry and displaying agent activity details with metrics and charts for active users, sessions and agent responses.

Registry sync (Preview)

As agents are increasingly built and deployed across multiple platforms, organizations often lack a unified way to discover, inventory, and govern them. Registry sync enables AI admins to securely consent to and connect ecosystem partner agent platforms to Agent 365, bringing external agents and their metadata into the Agent 365 registry for a more unified view of your agent population. Where supported by the synced platform, you can also take agent-level governance actions directly from the Agent 365 registry, starting with agent deletion, to agents built on these platforms. The initial preview includes connections to AWS and Google Cloud, with additional partner platforms planned for future releases.

An image showing the registry sync detail view for the Amazon Bedrock connection showing options to sync, edit, and delete the connection, connection details, and a list of synced agents.

Shadow AI detection and blocking (Preview)

Local agents installed on company devices outside IT and security visibility is an emerging endpoint risk. These agents can read files, execute code, and act on a user’s behalf, enabling access to sensitive data or risky operations without touching managed cloud services. Agent 365 provides the control plane to register and manage approved agents across the environment.

A new Shadow AI page, enabled by Microsoft Defender and Microsoft Intune, helps identify local agent activity on Windows devices and apply endpoint controls. Initial support includes OpenClaw, with plans to expand to additional widely used agents over time. Admins get a centralized view of local agent usage and can take action to limit unsanctioned execution paths at the endpoint, helping reduce risk while supporting approved tools.

Detect — one view of local agents across the environment with Agent 365
Block — Intune policies that help stop unsanctioned agent execution at the endpoint
Protect at scale — guardrails expand with your estate as coverage extends beyond OpenClaw to GitHub Copilot CLI, Claude Code, and more.

These capabilities help reduce Shadow AI exposure and bring local agents into a governed, secure endpoint posture.

An image showing the new Shadow AI page in Agent 365 in the Microsoft 365 admin center, with a list of devices that OpenClaw agents are running on.

An image showing the new Shadow AI page of Agent 365 in the Microsoft 365 admin center, where Intune policies are being applied

Govern: Establish guardrails for agents and users

Agent-level lifecycle and governance actions

AI admins can install, publish, block, unblock, delete, assign new owner for agents - all directly from the Agent 365 registry. Centralized lifecycle and governance actions remove friction, reduce delays, and enable fast response as agents are created, shared, and retired.

An image showing the agent-level governance actions in the Agent 365 registry

Agent distribution and availability controls

Agent distribution and availability controls ensure the right agents reach the right users without overexposure or risk. You can install an agent and precisely control where it’s available across the organization, choosing to make it available to no users, all users, or specific users and groups. This foundational control is critical as it can help enable safe and intentional rollout of agents aligned to roles, readiness, and business need.

An image displaying the Zava Alerting agent selected in the registry showing installation and availability controls, making it available to only the Agent 365 AI admin and Security Admin user groups

Admin approval and publication flow for requested agents

The agent approval and publication flow gives admins a centralized control point to review agents before they reach users. Assess each requested agent’s capabilities, data access, permissions, and security and compliance posture in the Agent 365 registry, then choose to publish or reject it from a single workflow. This prevents agent sprawl, reduces over‑privileged access, and ensures agents are onboarded with the right governance across Copilot Studio, Microsoft Foundry, and expanding agent platforms.

An image displaying requested agents showing the fictitious Staffing Agent selected with options to either public to store or reject submission

Agent management rules

To help scale governance as adoption grows, Agent 365 automates routine management jobs with rules that act when conditions are met such as expiring inactive agents or blocking agents flagged as risky. Initially, rules-based governance will include standard rules for auto-deployment of Microsoft-built agents as well as auto-reassignment of ownerless agents (starting with agents built with Agent Builder).

An image displaying agent management rules in Agent 365 settings displaying the standard rule for reassigning ownerless agents.

Policy templates

Policy templates address the challenge of applying consistent security, compliance, and access controls as agent adoption scales across the organization. By grouping existing policies from services like Microsoft Entra, Microsoft Purview, Microsoft Defender, and Microsoft SharePoint into reusable templates, admins can apply standardized settings and guardrails to agents during approval or onboarding. This ensures consistent governance without configuring individual policies per agent, and is distinct from rules based automation, which manages lifecycle actions after deployment.

An image displaying policy templates in Agent 365 settings showing a specific policy template detail view including policies from Microsoft Entra, Purview, Defender, and SharePoint

Tools management

Tools are the resources and services an agent uses to take action and get work done within approved boundaries; for example, an agent can use the Microsoft Teams MCP to schedule a meeting, summarize a conversation, and post updates back to a Teams channel for the group. As agents are built with more capabilities taking more actions across Microsoft 365 and beyond, unmanaged tools introduce security, compliance, and operational risk. Tools management in Agent 365 gives AI admins a centralized control point to view, allow, or block the tools agents can use, such as Microsoft MCP servers, across the tenant. By enforcing consistent, admin-approved tooling policies, organizations ensure agents operate only within approved boundaries and permissions, reducing risk without slowing innovation or requiring per-agent configuration.

An image displaying the Tools management pane in Agent 365 displaying a list view of MCP servers

Identity governance for agents

High-impact agents often rely on access to a wide range of organizational resources to perform their tasks, making it critical to manage permissions with precision and control. Microsoft Entra ID Governance for agents brings agents into the same identity governance model used for people. Access packages help define and manage agent permissions with appropriate scope and control, while sponsor lifecycle workflows ensure each agent identity has an assigned user responsible for overseeing access, maintaining accountability, and keeping access aligned with organizational policies over time. Together, these capabilities help organizations keep agent access visible, intentional, and manageable as agents evolve, enabling consistent governance and control at scale as agent adoption grows.

An image displaying ID Governance access package policy being applied to a policy template in Agent 365

Data Lifecycle Management for agents and interactions

As agents reason over and generate content, organizations need clear controls over how long agent interactions are retained and when they’re removed. Microsoft Purview Data Lifecycle Management enables admins to define retention and deletion policies for human‑to‑agent and agent‑to‑human interactions, scoped by users, agents, or groups, with custom retention periods and post‑retention actions. By extending proven Purview controls to agent interactions, organizations can reduce data exposure and scale agent adoption with consistent, auditable data governance.

An image displaying a data lifecycle management retention policy in Microsoft Purview

Communication compliance for agents

As agents interact with people at scale, organizations need visibility and controls to detect unethical, inappropriate, or non-compliant behavior. Microsoft Purview Communication Compliance in Agent 365 enables you to define and apply policies to human-to-agent and agent-to-human interactions, enabling centralized detection, review, and investigation of risky behavior. By bringing AI interactions into existing compliance operations, organizations can promote responsible agent use, protect employees, and scale agent adoption with built-in oversight and accountability.

An image displaying a communication compliance policy in Microsoft Purview

eDiscovery for agent activity

Agents generate and act on organizational data, and legal and compliance teams need a way to preserve, search, and review agent activity with the same rigor as human communications. Purview eDiscovery lets organizations place agent interactions under legal hold, search agent‑to‑human and human‑to‑agent interactions across all agents, and review both agent outputs and the documents accessed during execution runtime, all within Microsoft Purview. This delivers a defensible, end‑to‑end discovery experience for agent activity using familiar legal and compliance workflows, enabling confident adoption while meeting regulatory and litigation obligations.

An image displaying an eDiscovery query in Microsoft Purview

Secure: Protect agents comprehensively

Risk flags in Agent 365 registry and overview

Agent 365 brings IT and Security teams together to create a connected experience for governing AI agents. Agent 365 surfaces agent‑level security and compliance risk flags, powered by first‑party signals from Microsoft Defender, Entra, and Purview, giving AI admins a unified view of risky agents directly in the Microsoft 365 admin center. From the Agent 365 overview or registry, admins can take actions like block agents or restrict access, and escalate to security teams to quickly responds and reduce risk. By bringing IT and Security signals together in a single management surface, Agent 365 enables stronger cross‑team collaboration, making agent management a shared responsibility where IT and Security teams work together to assess risk, take action, and govern agents securely and at scale.

An image displaying the security details for a fictitious Comms agent showing two risk flags identified by Microsoft Purview

Conditional Access for agents

Agents acting on behalf of users can introduce new access risks, especially when interacting with organizational resources. Microsoft Entra Conditional Access enforces dynamic, granular access policies for agents that operate independently, and extends existing user policies to agents acting on behalf of users. It applies the same Zero Trust principles to ensure agent actions are consistently evaluated based on real-time context and risk. This helps organizations reduce the risk of unauthorized or unsafe access by enforcing adaptive, risk-based access controls without introducing a new policy model. Note that Conditional Access for agents is generally available for delegated access agents (agents that act on behalf of the user) and is in public preview for own access agents (agents that operate with their own identity, not tied to a user session).

An image showing the creation of a new conditional access policy for agents in Microsoft Entra admin center

Identity protection for agents

Agents, whether they are acting on behalf of users or operate independently, can introduce new access risks when elevated agent risk, user risk or sign-in risk is present. Microsoft Entra ID Protection prevents compromise with dynamic evaluation of agent and user identity compromise risk. These risk signals can then be used by Conditional Access policies to block or constrain access to prevent compromise with risk-based Conditional access for agents that act independently and extending risk-based conditional access from users to agents for agents that work on behalf of users. Similar to Conditional Access, Identity protection for agents is generally available for delegated access agents (agents that act on behalf of the user) and is in Public preview for own access agents (agents that operate with their own identity, not tied to a user session).

An image displaying a Conditional Access policy for agents in the Microsoft Entra admin center

Secure Access Service Edge for agents

Secure Access Service Edge (SASE) for agents extends identity-aware, network-level security controls to agent traffic. For Microsoft Copilot Studio agents and agents running on local endpoint devices with Global Secure Access client installed, it provides prompt injection protection, threat intelligence filtering, web and URL filtering, and network file filtering to help reduce exposure to malicious destinations and unsafe transfers. Together, these capabilities help organizations extend consistent network protections to agent traffic and support safer agent adoption at scale.

An image showing Global Secure Access for agents and traffic details in Microsoft Entra

Threat detection and blocking for agents (Preview)

Agent adoption brings new threats, such as prompt attacks and tool misuse. Microsoft Defender enables security teams to detect, block, and investigate agent threats in runtime. For example, when an agent abuses its permissions to an email MCP server, exhibiting suspicious behaviors that may cause security incidents, Microsoft Defender can block the email invocation to reduce the incident's impact and trigger incident alerts in the Defender portal for investigation and response. This capability enables security teams to effectively defend agents against the evolving AI threat landscape.

An image showing how a security team can detect, block, and investigate agent threats such as prompt attack and tool misuse in the Microsoft Defender portal

Threat hunting and investigation for agents (Preview)

Beyond threat detection and blocking, security teams can use the unified observability logs in Agent 365 for Advanced Hunting to proactively search for threats, vulnerabilities, and potential exposures in their organization's agentic environment. For example, security teams can identify risky configurations, such as agents with MCP tools using maker credentials. These permissions allow MCP tools to operate as the maker, potentially leading to privilege escalation and exposure. Security teams can run queries in Advanced Hunting to generate a list of agents that present this risk, then collaborate across teams to remediate these risks before they turn into incidents.

Security team can proactively identify vulnerabilities and exposure leveraging Advanced Hunting capabilities in Microsoft Defender

Agent security posture management (Preview)

As organizations deploy more agents, security teams need continuous insight into which agents are over‑privileged, misconfigured, or exposed to attack. Microsoft Defender provides agent security posture management by assessing the security posture of Foundry and Copilot Studio agents, identifying vulnerabilities such as excessive permissions and misconfigurations, and surfacing prioritized security recommendations, risk context, and attack path analysis to AI agents. This enables teams to focus remediation where risk is highest, reduce exposure early, and ensure agents are built, deployed, and operated securely across their lifecycle.

An image showing the fictitious agent Zava Assist in Microsoft Defender

Data Security Posture Management (DSPM) AI Observability for agents

Organizations lack clear visibility into how AI agents access and expose sensitive data, increasing the risk of oversharing and unintended data leakage. Microsoft Purview AI Observability in DSPM provides unified visibility into all agents operating across your environment, Microsoft and non‑Microsoft, and continuously assesses agent data risk posture. This enables security teams to identify sensitive data exposure early, make informed decisions, and proactively reduce risk before it becomes an incident.

An image showing AI observability within Data Security Posture Management (DSPM) in Microsoft Purview

Insider Risk Management for agents

As organizations scale AI agents, they lack visibility into whether agents are accessing, generating, or exposing sensitive data in risky ways. Microsoft Purview Insider Risk Management for agents evaluated insider risk for agents by treating them as first‑class identities, enabling detection of risky agent behaviors such as anomalous data access or sensitive content in outputs. This allows security teams to intervene early and confidently scale AI agents while maintaining security, accountability, and compliance.

An image showing an alert spotting an agent attempt at sensitive file exfiltration within Microsoft Purview

Data loss prevention for agents

As agent adoption scales, confidential information can be unintentionally included in agent interactions, increasing the risk of data exposure across the organization. Microsoft Purview Data Loss Prevention (DLP) extends the same protections organizations use for people - such as to prevent data exfiltration and oversharing - to AI agents, for example by blocking an agent from emailing a confidential file to an external recipient.

Also, DLP controls for grounding data protect the data agents rely on to reason and respond to interactions. It leverages DLP and labeling policies directly to the data sources used for grounding, preventing agents from accessing or using sensitive content that shouldn’t inform AI decisions or outputs. This gives organizations confidence that advanced AI agents can be deployed without increasing data exposure or compliance risk, even as agents operate across multiple data systems.

An image displaying a conversation with fictitious agent Zava Procurement Agent showing a DLP-protected document cannot be summarized

Conclusion

As agents become a core part of everyday work, organizations need a way to extend the controls they already trust, from managing people, devices, apps, and data, to managing agents. With Agent 365, Microsoft brings agents into the same, familiar identity, security, and compliance frameworks customers already rely on today. These GA capabilities lay the foundation for scaling agent adoption with confidence, enabling organizations to unlock innovation and productivity while ensuring agents remain governed, secure, and aligned with your organization's needs.

Next steps:

Footnotes

Agent metadata available in the Agent 365 registry differs based on the agent’s source platform, as well as factors such as how the agent was built, integrated, and registered. As a result, some agents may expose richer or more standardized metadata, while others may only provide a subset of fields.

Windows 365 for Agents now in public preview: Run AI agents securely, at scale

SwarnimSrivastava — Fri, 01 May 2026 15:00:00 GMT

AI agents are rapidly evolving from tools that answer questions to performing human-level work inside an enterprise ecosystem, powering essential business workflows that have traditionally been completed manually. But while governance and policy models are emerging, one critical question remains unresolved for IT: where should agents actually run?

Many applications that enterprises rely on, from legacy line-of-business systems to complex multistep workflows, were not built with APIs. As a result, critical work still happens through user interfaces, where context, data, and intent are conveyed visually. To unlock their full potential, AI agents need to interact with applications the same way people do, using a computer to interact directly through clicks, typing, and navigation. Today, many agents execute on ad hoc infrastructure—local machines, shared virtual machines, or unmanaged cloud environment—creating gaps in identity, policy enforcement, auditability, and control. That makes it difficult for IT teams to confidently scale agentic workloads beyond API- or MCP-based pilots.

Today, we’re bringing Windows 365 for Agents to public preview (US only), providing a secured, purpose-built, IT-managed Cloud PC environment designed specifically for running AI agents at enterprise scale. Windows 365 for Agents provides agents with a dedicated, Microsoft Intune-managed Cloud PC—bringing the same identity, security, and compliance model IT already uses for employees to agent execution.

Windows 365 for Agents works alongside Microsoft Agent 365 (now generally available), which serves as the control plane for AI agents. It's where organizations define agent behavior, set up organizational policies, manage permissions, and maintain visibility into what agents are doing across the enterprise, whether those agents are built by Microsoft or third-party agent makers. Together, these two offerings give IT teams a clear model for governing what agents can do and securely managing where that work runs, enabling organizations to move from early agent experiments to IT-managed, production-ready deployments.

Think of it this way: every employee in an organization has an identity and works on a managed device, such as a Windows 365 Enterprise Cloud PC. Now, each AI agent also has its own identity, governed through Agent 365 and running on a managed Cloud PC provided by Windows 365 for Agents. It’s the same trust model and same IT controls—now extended to AI. By extending this proven model to agent workloads, organizations gain:

Enterprise-grade identity and access controls for every agent
Unified device and policy management through the tools IT already use
Global scalability and geo-level data residency options to meet compliance requirements

How Windows 365 for Agents fits into the Microsoft AI ecosystem

Microsoft 365 Copilot brings AI into the flow of work inside the apps employees already use. Behind it is Microsoft IQ, the intelligence layer that provides shared context across people, work, and the business—helping AI understand what matters in the moment and make informed decisions.

That intelligence enables agents to reason, but completing real work—especially for AI agents that interact with UI-based or legacy applications and browsers through computer-use workflows—requires a secured place to execute. Windows 365 for Agents provides that execution layer, delivering a fully managed Windows environment purpose-built for agentic workloads. Unlike ad-hoc infrastructure, Windows 365 for Agents is a complete, IT-managed Cloud PC service, with identity, security, policy, and lifecycle management handled for you.

Microsoft IQ gives agents the smarts; Windows 365 for Agents gives them the trusted runtime to get work done. All of this runs on Microsoft Azure, the global cloud foundation for secure, scalable AI. Agent 365 complements this model by providing the control plane to govern agent behavior end to end. These capabilities combine to form a single platform that lets organizations scale AI with confidence—without compromising trust.

Windows 365for Agents is the foundational layer for running agents securely across first-party and third-party agent makers.

Evaluating Windows 365 for Agents

Windows 365 for Agents is built for enterprise IT teams and the organizations they support, specifically those that:

Rely on applications that require UI interaction, including legacy tools, browser-based workflows, and systems where APIs alone aren't enough
Need enterprise-grade security and compliance for AI agents, with identity governance, policy controls, and audit trails
Want IT-managed environments for agent workloads without building and maintaining custom infrastructure
Are exploring human-in-the-loop models where agents work alongside people, requesting approval for sensitive actions

This includes IT administrators, security teams, digital workplace leaders, and platform teams responsible for enabling AI safely across the organization.

To bring this to life, this Windows 365 for Agents demo shows how agents move from setup to execution in a secured, managed environment.

Join the Windows 365 for Agents public preview (US only)

Ready to try Windows 365 for Agents? You will need:

Agent 365 license
Intune license
An active Azure subscription to support Window 365 for Agents billing

Setup and onboarding

Explore Agent 365 to understand how agents are defined, governed, and managed [Microsoft Agent 365 overview | Microsoft Learn]
Create an agent blueprint for scenarios that require Windows 365 for Agents [Discover, create, and onboard an agent | Microsoft Learn]
Set up billing for Windows 365 for Agents using your existing Azure subscription [Windows 365 for Agents Billing | Microsoft Learn]
Create a Cloud PC pool for agent workloads [Cloud PC Agent Pools | Microsoft Learn]
Explore and validate scenarios by running agents in a secure environment [Use and collaborate with agents in Agent 365 | Microsoft Learn]

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

AI‑Accelerated AVM Refactoring: Modernizing Legacy IaC Safely and Swiftly

HimanshuYadav — Fri, 01 May 2026 12:14:29 GMT

Why AVM refactoring is harder in brownfield

Greenfield AVM adoption is straightforward: pick the module, deploy, and iterate. Brownfield is different. You’re refactoring *live* infrastructure — where state, naming conventions, diagnostic settings, and policy baselines already exist.

In one anonymized engagement, an AI‑assisted audit found that **43% of module invocations (~10 modules) ** still relied on legacy, non‑AVM wrappers — even though modernization work was already underway.

That number wasn’t just a KPI. It became the roadmap: which modules to prioritize, where inconsistency risk was highest, and which components needed deeper plan review.

The hidden risks you only feel during refactor

AVM adoption often introduces more than a module source change. It can also bring:

New naming patterns (especially around extensions like diagnostics)
More structured configuration objects (maps/objects replacing flat inputs)
Additional ‘helper’ resources (RBAC, wait timers, diagnostics wiring)
Policy‑aligned defaults (encryption, public access disabled, logging enabled)
Provider/version constraint pressure (to meet AVM expectations)

None of these are bad — in fact, they’re usually improvements. But in a live estate, each change must be checked through one lens: **state safety**.

Where AI actually helps (and where it doesn’t)

AI is most valuable when it reduces *mechanical effort* — the repetitive work that slows teams down — while humans keep ownership of architecture and risk.

1) Automated codebase audit (the fastest win)

AI can scan a repo and produce an inventory of module usage, versions, and adoption status: direct AVM, AVM‑wrapped, legacy wrappers, and native resources. This turns hours of manual inspection into a structured baseline report.

2) Draft refactors scaffolding (with mandatory human review)

Tools like GitHub Copilot can generate first‑pass Terraform refactors — reshaping legacy calls into AVM‑style interfaces and scaffolding optional blocks (diagnostics, identities, RBAC).

But AI output should be treated as *a proposal*, not a truth. The most dangerous failures aren’t syntax errors — they’re subtle mismatches: a parameter mapped to the wrong field, a default that changes behavior, or an omitted lifecycle constraint.

3) Terraform plan diff interpretation (explain what changed)

Refactoring to AVM can expand plan output. AI can help summarize large diffs into:

Benign additions (telemetry wiring, diagnostics scaffolding, RBAC helpers)
Behavioral changes requiring sign‑off (network exposure, encryption posture, identity model)
High‑risk actions (destroy/recreate) and the exact resource addresses involved

This doesn’t replace plan review — it accelerates understanding so reviewers can focus on what truly matters.

4) Policy violation translation (from red to ready)

When policy gates fail (Azure Policy, Checkov, etc.), AI is great at translating requirements into actionable remediation — and checking whether AVM supports it natively or needs supplementary configuration.

5) Repository hygiene enforcement (structure as a hard gate)

In multi‑team repos, drift happens: ad‑hoc scripts, local module copies, inconsistent folder patterns. AI can continuously scan for these anti‑patterns and flag deviations early — before they become ‘how we do it now’.

6) Specification‑driven development (the future‑proof approach)

Microsoft’s AVM guidance now explicitly discusses **AI‑assisted IaC solution development** — pairing AVM modules with AI tools to speed delivery while keeping humans in control. In parallel, approaches like Spec Kit promote structured, specification‑driven workflows so requirements and constraints remain the source of truth.

The operating model that keeps you safe

Here’s the simplest rule I’ve seen work consistently:

**AI drafts. Humans validate. The Terraform plan decides.**

That operating model prevents two extremes: (1) refusing AI because it’s imperfect, and (2) trusting AI output blindly because it sounds confident.

A practical AI‑accelerated refactor playbook

If you want a repeatable approach that scales across environments, here’s a playbook that balances speed and safety:

Baseline audit: inventory module sources and adoption categories.
Equivalence check: identify AVM‑ready modules vs AVM gaps.
Slice the work: refactor one bounded component first.
Use AI for scaffolding: generate draft code and a migration checklist.
Plan review discipline: categorize additions vs updates vs replacements.
Import decision framework: import where state safety matters; accept in‑place updates only when semantics are unchanged.
Governance gates: enforce structure + policy + plan review before merge.
Iterate: expect multiple cycles — AI should compress cycles, not eliminate them.

Don’t couple refactoring with compliance

One more lesson worth calling out: **AVM adoption and compliance are related, but not identical.**

Treat policy enforcement as a continuous pipeline requirement from Dev through Prod — independent of whether a component is fully AVM‑aligned. This avoids scope creep (“refactor means fix everything”) while still driving the estate toward a no‑surprises posture.

What ‘success’ looks like

A successful AI‑accelerated AVM refactor typically delivers:

Lower variance between environments
Fewer one‑off wrappers and exceptions
Stronger defaults aligned to policy
A smaller drift surface area
Faster, safer change velocity

And the best part? It changes the mindset from ‘IaC as scripts’ to **IaC as a governed product** — with standards that hold up in audits and operations.

Closing thought

AI won’t replace your architectural accountability — and it shouldn’t try to. But it *can* remove the friction that makes refactoring feel impossible.

If you’re sitting on a pile of legacy wrapper modules today, consider this: the safest time to modernize is **before** the next urgent change lands in your backlog.

References (public)

Azure Verified Modules (AVM): https://azure.github.io/Azure-Verified-Modules/
AI‑Assisted IaC Solution Development (AVM): https://azure.github.io/Azure-Verified-Modules/experimental/ai-assisted-sol-dev/
Spec Kit (AVM): https://azure.github.io/Azure-Verified-Modules/experimental/ai-assisted-sol-dev/spec-kit/
AVM Telemetry guidance: https://azure.github.io/Azure-Verified-Modules/help-support/telemetry/
Microsoft Learn – Azure Verified Modules overview: https://learn.microsoft.com/en-us/community/content/azure-verified-modules

From Terminal to Autonomous Coding: Mastering GitHub Copilot CLI ACP Server

Ravindra_Kumar_Vishwakarma — Fri, 01 May 2026 07:00:00 GMT

Introduction

The rise of AI-powered development is no longer just about autocomplete—it’s about autonomous agents that can think, act, and collaborate. At the center of this transformation is the Agent Client Protocol (ACP) and its integration with GitHub Copilot CLI.

If you’ve ever wanted to:

Integrate Copilot into your own tools
Build custom AI-driven developer workflows
Orchestrate coding agents in CI/CD

Then understanding the GitHub Copilot CLI ACP Server is a game-changer.

This article will take you from zero to advanced, covering concepts, architecture, setup, and real-world use cases.

What Is Agent Client Protocol (ACP)?

The Agent Client Protocol (ACP) is an open standard designed to connect clients (like IDEs or tools) with AI agents in a consistent and interoperable way.

Why ACP Exists

Before ACP:

Every IDE needed custom integration for each AI agent
Every agent needed custom APIs per editor

ACP solves this by introducing a universal communication layer.

Key Idea

“Any editor can talk to any agent.”

Core Capabilities

ACP enables:

Standardized messaging between client and agent
Streaming responses
Tool execution with permissions
Session lifecycle management
Multi-agent coordination

This makes ACP a foundation layer for the agentic developer ecosystem.

What Is GitHub Copilot CLI ACP Server?

GitHub Copilot CLI can run as an ACP-compatible server, exposing its AI capabilities programmatically.

👉 In simple terms:

It turns Copilot into a backend AI agent service that any tool can connect to.

According to GitHub Docs:

Copilot CLI can run in ACP mode using a flag
It supports standardized communication via ACP
It enables integration with IDEs, pipelines, and custom tools

Architecture: How ACP + Copilot CLI Works

Components

Component	Role
Client	Sends prompts, receives responses
ACP Protocol	Standard communication layer
Copilot CLI	AI agent executing tasks
System	Files, repos, tools

Getting Started (Beginner Level)

Install GitHub Copilot CLI

Ensure:

Copilot subscription is active
CLI installed and authenticated

Start ACP Server

Default (stdio mode – recommended)

TCP Mode (for remote systems)

stdio: Best for IDE integration
TCP: Best for distributed systems

Connect Using ACP Client (Example)

Using TypeScript SDK:

You:

Start Copilot as a process
Create streams
Initialize connection
Send prompt
Receive streaming response

ACP uses:

NDJSON streams over stdin/stdout
Event-driven communication

ACP Workflow Explained

A typical flow looks like this:

Step-by-step lifecycle

Initialize connection
Create session
Send prompt
Agent processes task
Streaming updates returned
Optional tool execution (with permissions)
Session ends

ACP supports:

Text + multimodal inputs
Incremental responses
Cancellation and control

Real-World Use Cases

IDE Integration (Custom Editors)

Build your own AI-powered editor:

Connect via ACP
Send code context
Receive suggestions

CI/CD Automation

Imagine:

Use ACP to:

Auto-fix bugs
Generate tests
Refactor code

Multi-Agent Systems

ACP enables:

Copilot + other agents working together
Task delegation
Workflow orchestration

Custom Developer Tools

Examples:

AI code review dashboards
Internal dev assistants
ChatOps integrations

Advanced Concepts

Session Management

ACP allows:

Isolated sessions
Custom working directories
Context persistence

Streaming Responses

Instead of waiting:

Receive responses in chunks
Build real-time UIs

Permission Handling

ACP includes:

Tool execution approvals
Security boundaries
Controlled automation

Extensibility

ACP supports:

Multiple SDKs (TypeScript, Python, Rust, Kotlin)
Custom clients
Future protocol evolution

ACP vs Traditional Integration

Feature	Traditional APIs	ACP
Integration	Custom per tool	Standardized
Streaming	Limited	Native
Multi-agent	Hard	Built-in
Extensibility	Low	High
Interoperability	Poor	Excellent

Why ACP + Copilot CLI Is a Big Deal

This combination unlocks:

✅ Platform-level AI integration

No more vendor lock-in per editor

✅ True agentic workflows

Agents don’t just suggest—they act

✅ Ecosystem growth

Any tool can plug into Copilot

Challenges & Considerations

ACP is still in public preview
Requires understanding of:

Streams
Async communication

Debugging agent workflows can be complex

Future of Developer Experience

ACP represents a shift toward:

“AI-native development platforms”

Future possibilities:

Fully autonomous CI/CD pipelines
Cross-agent collaboration
Self-healing codebases

Final Thoughts

The GitHub Copilot CLI ACP Server is not just a feature—it’s a foundation for the next generation of software development.

If you are:

A developer → build smarter tools
A tech lead → design AI-driven workflows
A CTO aspirant → understand this deeply

Then ACP is something you must master early.

Quick Summary

ACP = Standard protocol for AI agents
Copilot CLI = Can run as ACP server
Enables = IDEs, CI/CD, multi-agent systems
Key power = interoperability + automation

AHEAD helps us launch the Strategic Azure Storage Services Partner Program

karautenMSFT — Fri, 01 May 2026 00:49:28 GMT

Authors:

Aung Oo, Vice President Azure Storage Product Management

Parker Leavitt, Partner Account Manager, AHEAD

Special thanks to:

Michael Johnson, Vice President, Cloud, AHEAD

AHEAD background

AHEAD was formed in 2007 and possesses deep expertise in Infrastructure, Cloud Platforms, AI, Analytics, Networking, Storage, Security and many more technical disciplines. 80% of AHEAD’s employees are engineers who help customers with the assessment of their needs to design optimal solutions and through implementation of complex application and infrastructure deployments. Headquartered in Chicago, IL, AHEAD has locations worldwide and is ready to assist with your most complex Azure projects. They hold over 1,000 Microsoft certifications and 4 Advanced Specializations.

Valued collaboration

AHEAD has been a key advisor to Azure Storage throughout the design and build of our Channel strategy. As a premier Microsoft Cloud and AI Partner, and with decades of Storage expertise, AHEAD helped us to create the Learning Path channel partners will need to complete to qualify as a Strategic Azure Storage Services Partner (SASS). SASS Partners have been validated by us to possess the skills to offer consulting, design, implementation, and migration services to Azure and ISV Storage services.

What can you expect?

AHEAD brings their history of infrastructure expertise to Azure Storage customers through a catalog of services that make it possible to select the optimal solution to ensure the ideal blend of price, performance, and resiliency.

Assessment

What are you doing to prepare for the industry wide memory shortage? How well do you understand your datasets? What are your performance requirements? Are there features you are paying for and not using? When was the last time that directory hosting the “Super Important Project” files was accessed? Is there mission critical data hiding that you should be leveraging to fuel Enterprise AI Agents? Is an Azure Storage Service the best fit for your data, or is it better to migrate it to one of our Storage ISV services?

AHEAD provides Microsoft-funded assessments that deliver data-driven guidance to help you align your application and data set needs with the ideal storage service(s) on Azure. We have long advocated that the best solution is the one that meets your requirements both today and in the future. AHEAD can help you get there.

Migration

After gaining insight into your data estate, AHEAD has the experience to help you migrate safely with best-of-breed solutions. Whether offline migration with Data Box or online over the network with Storage Mover or one of our validated ISVs like Komprise, Cirrus Data, or Cirata, AHEAD can help you move your data to an Azure Storage service like Blob Storage, Files, Elastic SAN, or NetApp Files – or one of our ISV Partners like Nasuni and Pure Storage. You can find our full list of validated partners on Microsoft Learn.

Azure Storage ISV Strength

An important reason we chose to onboard AHEAD as our first Strategic Channel Partner was the large crossover in mutual ISV relationships they possess, and their proven skills with each. You can view AHEAD’s full list of partners, including Nasuni, NetApp, Everpure, Commvault, Veeam, Rubrik, and Dell on their website. Our recent engagements with AHEAD and Nasuni are a great example of AHEAD’s depth. They were able to quickly determine Nasuni as the best fit for a customer who required a single centralized Azure-based repository for their data that could then be accessed within Azure and multiple remote locations simultaneously.

AHEAD has shown us that across their portfolio of ISVs, they can help you implement best-of-breed ISV services that include solutions in:

Air Gap Business Continuity
VMware Modernization
Storage Modernization
Cloud Scale Analytics
AI Dataset Curation

How can you move forward?

Do you need help understanding your data estate? Could you use expertise selecting the ideal service in Azure to host your data? Reach out to the AHEAD Azure team at info@ahead.com or via their Rapid Assess offer on Microsoft Marketplace and get started today!

Strategic Azure Storage Services Partner

In coming months, you will see our list of SASS Channel Partners expand, but we could not be more grateful to AHEAD for being a not only a pioneer, but a trusted advisor. Their commitment to Azure and Azure customers has made an impact that will benefit our customers worldwide.

Announcing Native PowerShell Tooling for ReFS Snapshots

Christina_Curlette — Fri, 01 May 2026 00:30:50 GMT

We’re excited to share a new open-source PowerShell module on GitHub that provides PowerShell-native management of ReFS snapshots. It wraps the existing refsutil streamsnapshot in cmdlets designed for scripting and automation, with pipeline support and consistent error handling.

If you’re already using ReFS for resilient storage on Windows Server or client, this tooling makes it significantly easier to integrate ReFS snapshots into your existing PowerShell-based management and automation workflows.

Why PowerShell-native ReFS snapshot management?

ReFS has long supported stream-level snapshots through the refsutil streamsnapshot command-line utility, enabling point-in-time capture of individual files or streams rather than an entire volume or filesystem. This makes stream snapshots well suited for targeted comparison or recovery scenarios where full volume snapshots would be unnecessary or too heavyweight. While powerful, refsutil was designed as a low-level utility—not easy to compose into scripts, pipelines, or scheduled automation.

The ReFSSnapshots PowerShell module addresses that gap by exposing ReFS snapshot functionality through idiomatic PowerShell cmdlets, making snapshots easier to:

Automate as part of routine server operations

Integrate into existing PowerShell scripts and modules

Apply consistently across many files or volumes using the pipeline

Manage safely with parameter validation and structured error handling

What the ReFSSnapshots module provides

The ReFSSnapshots module supports the following capabilities:

Create snapshots of files or streams at a specific point in time

List snapshots, including wildcard-based queries

Delete snapshots with confirmation safeguards

Compare snapshots against the current file state

Restore files from a previous snapshot state

Export snapshots to standalone files on any volume

Automate snapshot creation via Task Scheduler

Apply retention policies to clean up older snapshots automatically

All cmdlets are designed with pipeline support, so they can be composed alongside existing storage, monitoring, or validation scripts.

Some common scenarios that this module addresses include:

Operational safety points taken before patching, upgrades, or configuration changes

Automated comparison workflows, where changes between known states need to be evaluated programmatically

Scripted maintenance jobs that incorporate snapshot creation and cleanup as part of routine operations

Advanced Windows client or workstation scenarios using ReFS for large datasets, development artifacts, or experimental workflows, where lightweight, file‑level snapshots are useful without introducing a full backup solution

Getting started

Setup instructions, documentation, and examples are available in the GitHub repository.

System requirements

Windows Server 2019+ or Windows 10+

An ReFS-formatted volume (version 3.7 or later)

PowerShell 5.1 or newer (including PowerShell Core)

Examples

The following snippets are drawn from the module's GitHub examples and mapped to the scenarios called out above. They illustrate how ReFSSnapshots can be composed into routine operations, comparison workflows, scheduled maintenance, and lightweight workstation use.

Operational safety point before a configuration change — Take a named snapshot of a critical file immediately before applying a server configuration update, so you have a known-good point to compare against or restore from.

New-RefsSnapshot -Path D:\Data\database.dat -Name "PreChange_$(Get-Date -Format 'yyyyMMdd_HHmm')"

Automated comparison workflow — List recent snapshots for a file and compare the most recent one against the current state to evaluate what has changed since the last known baseline.

Get-RefsSnapshot -Path D:\Data\database.dat -Name "PreChange_*" | 
    Sort-Object SnapshotName -Descending | 
    Select-Object -First 1 | 
    Compare-RefsSnapshot

Scripted maintenance job with retention — Register a daily scheduled task that automatically creates snapshots of a database file and keeps only the most recent 14, so older snapshots are cleaned up as part of routine operations.

Register-RefsSnapshotSchedule -Path D:\Data\database.dat -Interval Daily -At "2:00 AM" -RetentionCount 14

Lightweight workstation snapshots for development artifacts — Use the pipeline to create a single named snapshot across many files in a working directory—useful on a Windows client when you want a quick, file-level safety net before an experimental change, without standing up a full backup solution.

Get-ChildItem E:\Repos\MyProject\artifacts\*.bin | 
    New-RefsSnapshot -Name "BeforeRefactor_$(Get-Date -Format 'yyyyMMdd')"

Try it out!

ReFSSnapshots provides a PowerShell-native surface over existing ReFS stream snapshot capabilities, enabling composable, scriptable file-level snapshot management on supported Windows Server and client systems. Give it a try and share your feedback on GitHub.

‑‑ Christina Curlette

Introducing DeepSeek V4 Flash and V4 Pro in Microsoft Foundry

RashaudSavage — Fri, 01 May 2026 00:09:35 GMT

As AI adoption matures, the conversation is shifting from model capability to system design, how to orchestrate models that deliver the right balance of quality, speed, and cost.

Today, we’re expanding the Microsoft Foundry model catalog with DeepSeek V4 Flash, and DeepSeek V4 Pro coming soon. It enables teams to build more adaptable and production-ready AI systems.

Why this matters?

Teams building AI applications today face a common challenge:
no single model is optimal for every task.

Complex workflows require deep reasoning and long-context understanding

High-volume applications demand low latency and cost efficiency

Production systems need the flexibility to switch models as requirements evolve

With DeepSeek V4 Pro and Flash in Microsoft Foundry, you can match the right model to the right task without changing your infrastructure.

Meet DeepSeek V4 Pro and Flash

DeepSeek V4 Pro – for advanced reasoning and complex workflows

DeepSeek V4 Pro is designed for high-precision tasks that require strong reasoning and deeper context understanding.

Best suited for:

Multi-step reasoning and analysis

Complex coding and debugging workflows

Long-document understanding and synthesis

Agentic workflows requiring planning and decision-making

Key benefits:

Strong reasoning performance for complex tasks

High-quality outputs for enterprise-grade use cases

Ideal for “high-stakes” workloads where accuracy matters most

DeepSeek V4 Flash – for speed and scale

DeepSeek V4 Flash is optimized for low latency and high-throughput scenarios, making it ideal for real-time and cost-sensitive applications.

Best suited for:

Chat and conversational experiences

High-volume content generation

Classification, summarization, and extraction

Real-time copilots and assistants

Key benefits:

Fast response times

Cost-efficient at scale
Optimized for production workloads with high concurrency

One platform, multiple models built for production

Both DeepSeek V4 Pro and Flash are available through Microsoft Foundry’s unified platform, so you can:

Access both models through a single API and endpoint

Easily switch between models based on workload needs

Route intelligently across models for cost and performance optimization

Evaluate and compare models using your own data

Deploy with enterprise-grade governance and security built in

This means you can move from experimentation to production without re-architecting your system.

Build smarter systems with model choice

In practice, most production systems benefit from using multiple models together:

Use DeepSeek V4 Flash for high-volume, real-time interactions

Route complex queries to DeepSeek V4 Pro for deeper reasoning

Combine both in agentic workflows to balance cost and quality dynamically

With Microsoft Foundry, this orchestration becomes seamless—enabling teams to build more efficient and resilient AI systems.

Enterprise-ready by design

DeepSeek models in Microsoft Foundry inherit the platform’s enterprise-grade capabilities:

Security and compliance controls to meet organizational requirements

Built-in content safety and governance

Observability and monitoring for usage, latency, and cost

Flexible deployment options aligned to your infrastructure needs

This ensures you can adopt new models without compromising on trust or control.

Pricing

Model	Input (1M tokens)	Output (1M tokens)
DeepSeek V4 Flash	$1.03	$4.12
DeepSeek V4 Pro	TBD	TBD

Getting started

DeepSeek V4 Flash is now available in Microsoft Foundry. DeepSeek V4 Pro will be available soon.

You can:

Explore both models in the Foundry model catalog

Evaluate them using your own datasets

Start building and deploying applications in minutes

AI is no longer about choosing a single “best” model.
It’s about building systems that intelligently balance quality, speed, and cost.

With DeepSeek V4 Pro and Flash in Microsoft Foundry, you get the flexibility to do exactly that—on a platform designed for enterprise-scale AI.

SASE 101: How to get started with secure access in a cloud-first world

SuleTatar — Thu, 30 Apr 2026 23:48:02 GMT

As organizations adopt cloud applications, hybrid work, and distributed teams, many are re-evaluating how users securely access applications and data. Secure Access Service Edge (SASE) has become a common starting point for these conversations, but for many teams, understanding where to begin can feel unclear.

This article provides a practical foundation for teams learning about SASE for the first time. It explains what SASE is, why it emerged, how it differs from Security Service Edge (SSE), and how organizations can use SASE as a modern framework for secure access. The goal is to build shared understanding before diving into tools or technical decisions.

What is SASE?

Secure Access Service Edge (SASE) is a cloud-delivered approach that combines networking and security capabilities into a unified access model.

Instead of relying on centralized data centers and fixed network perimeters, SASE delivers secure access closer to users and applications, using cloud services to apply policies in most user locations.

At a foundational level, SASE shifts access and security from being network-centric to identity-centric. This is why SASE is often discussed early in security modernization efforts that also include Zero Trust.

Why SASE is often a starting point

Many organizations begin exploring SASE because existing models no longer match how work happens today.

Traditional assumptions:

Users worked primarily from corporate offices
Applications lived inside data centers
Network location determined trust

Today’s reality:

Employees work remotely or in hybrid models
Applications live across multiple clouds and SaaS platforms
Contractors and partners require controlled access
Devices connect from many different networks

SASE provides a way to align secure access with these realities, making it a natural entry point for organizations looking to modernize without immediately restructuring their entire environment.

Core concepts to understand when getting started with SASE

SASE is not a single technology or deployment. It is a framework made up of several core ideas:

Cloud-Delivered Networking
Connectivity adapts to where users and applications are located rather than forcing traffic through fixed sites.
Integrated Security Controls
Security inspection and enforcement are applied consistently across users, devices, and destinations.
Identity-Aware Access
Access decisions are based on who the user is and the context of the request, not the network they are coming from.
Globally Distributed Delivery
Services are delivered through cloud infrastructure that operates close to users around the world.

Understanding these concepts early helps teams define what SASE means for their environment before evaluating vendors or technologies.

How SASE fits with Zero Trust

SASE is closely aligned with Zero Trust principles, which require continuous verification of access requests and avoid relying on implicit trust.

Rather than replacing Zero Trust, SASE provides a scalable architecture for supporting it in distributed, cloud-first environments. It helps enforce identity-based access and apply consistent security policies regardless of user or application location.

For many organizations, SASE is a practical way to begin operationalizing Zero Trust for real-world access scenarios.

SASE vs. SSE: An important early distinction

When getting started with SASE, teams often encounter the related term Security Service Edge (SSE). Understanding the distinction helps clarify scope and expectations.

What Is SSE (Security Service Edge)?

SSE is a cloud-delivered security model focused specifically on protecting user access to:

The web
Cloud and SaaS applications
Private applications

SSE concentrates on security controls and policy enforcement. It does not address network optimization or routing.

How SASE and SSE Are Related:

SASE is the broader architecture that combines networking and security.
SSE represents the security portion of SASE.

In other words, SSE is a subset of SASE. Many organizations begin their modernization journey with SSE because it allows them to improve user access security before making broader networking changes.

Using scenarios to build early understanding

When first learning about SASE, scenarios often help bring the concepts to life. For example:

A remote employee securely accesses applications without routing traffic through a corporate office.
A contractor receives limited, identity-based access without joining the internal network.
A branch office connects directly to cloud services without relying on complex on-premises infrastructure.
These examples illustrate the outcomes that SASE helps enable, which helps teams evaluate alignment with their needs.

Who should be involved when getting started with SASE?

SASE discussions often involve multiple roles, even in early conversations:

IT leaders evaluating future access models
Security teams supporting Zero Trust initiatives
Network professionals adapting connectivity to cloud delivery
Business leaders focused on reducing complexity and risk

Because SASE spans both networking and security, early alignment across these teams often determines long-term success.

How to get started with Microsoft Global Secure Access

Microsoft Global Secure Access helps organizations begin their SASE journey by delivering identity-aware, cloud-delivered access controls. Here’s how to start:

Deploy the traffic forwarding client to route user traffic through Microsoft’s global network for policy enforcement.
Apply Conditional Access policies to enforce identity-based access decisions.
Enable shadow AI visibility to monitor and control unsanctioned app usage.

These steps help organizations operationalize Zero Trust principles while building toward a full SASE architecture.

See Microsoft Global Secure Access in action

Getting started means building the right foundation

Getting started with SASE does not begin with tools or deployments. It begins with a shared understanding. SASE provides a way to think about secure access that is:

Cloud-based
Identity-driven
Consistent across users and locations

For organizations navigating hybrid work and cloud adoption, understanding SASE concepts early helps create a foundation for designing secure access strategies that scale with the business.

Next Steps

Explore Microsoft Global Secure Access documentation
Take the Microsoft Learn Zero Trust modules
Read related blogs on modern identity security strategies

-Sule Tatar, Senior Product Marketing Manager

Additional resources

What Is Secure Access Service Edge (SASE)? | Microsoft Security

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

Designed for Surface Accessories for Frontline Work

hannahtodd — Thu, 30 Apr 2026 21:52:43 GMT

Frontline scenarios often involve Surface devices that are shared across shifts, used in physically demanding settings, or deployed across multiple locations. In these situations, accessories play a critical role in shaping how devices are configured for day‑to‑day use and how well they perform within the environments in which they are used.

Designed for Surface (DfS) accessories are built to support these frontline needs, providing purpose‑built solutions for shared use, mobile workstyles, and access-controlled environments.

Below are a few frontline deployment patterns that help illustrate how accessories can be used to adapt Surface devices for healthcare, manufacturing, and government use cases.

Healthcare | Shared Devices and Fixed-Station Use

Pictured, left to right: UAG Plasma Healthcare for Surface Pro, 13-inch, The Joy Factory Elevate II Countertop Kiosk in White.

In many healthcare scenarios, Surface devices are deployed both in fixed locations and on-the-go, often by multiple users throughout the day. Fixed stations typically benefit from a consistent physical setup that supports reliability and frequent interaction in busy environments, while shared mobile devices require added protection to withstand regular handling.

Common in areas such as check-in desks or shared workspaces, enclosures such as The Joy Factory’s Elevate II kiosks allow Surface devices to stay protected in fixed locations across departments or facilities and come in a variety of mounting options. Shared devices in this environment are also frequently handled, so protective options such as the UAG Plasma Healthcare cases for Surface Pro, 13-inch and Surface Pro, 12-inch can be sanitized with disinfectants repeatedly without altering case integrity and are tested by an independent third-party to MIL‑STD‑810G standards¹. The Surface Pro, 12-inch variant also features swappable rear camera rings for colorful differentiation and visually identifying devices across business departments.

Manufacturing | Rugged Mobile Use

Pictured, left to right: MobileDemand xCase with Scanner for Surface Pro, The Joy Factory aXtion Go MP for Surface Pro, 12-inch.

In manufacturing settings, Surface devices are often on the move—being carried across a site, handled during active workflows, or used alongside task specific equipment and peripherals.

Surface devices in demanding environments are benefited by accessories designed for mobile and rugged use. For example, The Joy Factory’s aXtion Go MP for Surface Pro, 12‑inch is IP68-rated for protection against dust and water ingress¹, supporting usage in environments where devices can be handled in various contexts. Other protective solutions like the MobileDemand xCase with Scanner for Surface Pro can also be used for inventory tracking. These accessories illustrate how Surface devices can be paired with additional, industry-specific capabilities for task focused workflows.

Government | Access‑Controlled and Physically Secured Use

Pictured, left to right: UAG Scout Series Smart Card Reader Case, Kensington BlackBelt Rugged Case with Integrated Smart Card Reader & HDMI, Kensington Keyed Cable Lock.

Some environments call for additional considerations around how Surface devices are accessed and secured during use. This pattern is often seen in government, where devices may be shared, deployed in the field, or used in sensitive environments that require additional security needs.

In environments where security matters, these deployments are supported by accessories that integrate security features into their design. Surface devices can integrate with smart card-based authentication workflows when paired with cases like the UAG Scout Series Smart Card Reader Case, or the Kensington BlackBelt Rugged Case with Integrated Smart Card Reader (CAC) & HDMI, which have built-in, TAA-compliant card readers for access‑controlled use in shared or secured environments.

These solutions can also be combined with physical security options such as locks, to physically secure devices both in and out of use. Non-invasive solutions, such as the Kensington Combination Lock and Keyed Cable Lock, provide an added layer of deterrence against unauthorized removal without requiring device modification.

Applying These Patterns

Frontline deployments need to scale across roles, sites, and environments, while still supporting the different ways people actually work. Looking at these deployments through common patterns offers a framework for choosing the right combinations of Surface devices and accessories to help meet a broad range of frontline needs.

The Designed for Surface program offers an ecosystem of certified accessories from trusted manufacturers that support these patterns across industries, helping organizations leverage Surface across frontline use cases.

Explore the full catalog of 200+ Designed for Surface accessories and see how they can support frontline work² by visiting DesignedforSurface.com.

Footnotes

¹ MIL‑STD‑810G and IP68-rating testing conducted by the accessory manufacturer. Testing is not a guarantee of future performance under all conditions.

²Surface devices and Designed for Surface accessories are intended for general business use. Third‑party accessories may require additional validation to meet industry specific regulatory, safety, or procurement requirements.

Prompt flow is being retired

Shubhendu_Satsangi — Thu, 30 Apr 2026 21:15:00 GMT

What you need to know

Prompt flow in Microsoft Foundry and Azure Machine Learning will be retired on 20 April 2027.

As part of this change, Microsoft recommends moving to Microsoft Agent Framework, which provides a production-ready foundation for building agent and workflow-based AI applications. Microsoft Agent Framework 1.0 is generally available for both Python and .NET. During the transition period, customers should begin planning and executing their migration so that existing applications, workflows, and deployments are moved to supported alternatives before the retirement date.

What is changing

After 20 April 2027, prompt flow components will no longer be supported.

This includes:

the web authoring experience in Microsoft Foundry and Azure Machine Learning
the VS Code extensions for prompt flow
the prompt flow base image used in deployments

During deprecation period till 20 April 2027, prompt flow will continue to receive security and critical bug fixes, but no further feature development is planned.

Recommended path forward

Microsoft recommends Microsoft Agent Framework (GA since 3 April 2026) as the primary path forward for customers using prompt flow. The framework supports both agents and workflows, and is designed for production use with stable APIs and long-term support.

You can learn more here:

What customers need to do

Review your current prompt flow usage

Start by identifying where prompt flow is currently used across your organization, including:

active applications
existing workflows
deployed endpoints
development or evaluation workflows
operational dependencies tied to Prompt Flow

This helps you understand the scope of migration and prioritize the most important workloads first.

Plan your migration target

For most workflow and orchestration scenarios, the recommended destination is Microsoft Agent Framework. If you also rely on evaluation and tracing capabilities, review the latest supported options in Microsoft Foundry as part of your migration plan.

Rebuild and validate

Migration should include both:

rebuilding the application or workflow in the new framework
validating that the new implementation behaves as expected before production cutover

A phased approach is usually best: migrate one business-critical scenario first, validate it, and then expand to additional workloads. Migration is a multi-phase process that includes audit, rebuild, validation, operational migration, and cutover.

Update deployments and operations

If your solution uses prompt flow deployments today, plan to move those deployments to supported alternatives before retirement.

What to expect during migration

Migration may not always be like-for-like

Customers should plan for migration as an application update, not just a platform switch.

In some cases, especially where prompt flow was used heavily as a visual authoring experience, migration may require some redesign of the solution rather than a direct one-to-one replacement. Customers should not assume a simple visual replacement and may need to preserve the business outcome rather than recreate the exact previous experience.

Start with the highest-value scenarios

A practical approach is to:

identify production-critical flows first
migrate the most important scenarios before lower-priority ones
validate outputs side-by-side where needed
complete rollout well before the retirement date

Support and help

If you need additional guidance:

Review the migration guide and code samples
Learn more about Microsoft Agent Framework
If you need technical assistance, use your standard Azure support channels:
- Get answers from community experts in Microsoft Q&A
- Create a support request. 
  - For Issue type, select Technical. 
  - For Subscription, select your subscription. 
  - For Service, select My services, then select Machine Learning or Microsoft Foundry. 
  - For Summary, type a description of your issue. 
  - For Problem type, select prompt flow.
  - For Problem subtype, select your appropriate problem area.

Learn more about service retirements that may impact your resources in the Azure Retirement Workbook. Please note that retirements may not be visible in the workbook for up to two weeks after being announced.

What’s new in Microsoft Sentinel: April 2026

vkokkengada — Thu, 30 Apr 2026 20:59:31 GMT

Welcome to the April 2026 edition of What's new in Microsoft Sentinel. April brings a broad set of updates, with RSAC 2026 announcements rolling out alongside new features. Highlights include cost limit enforcement to prevent runaway query costs, curated open-source intelligence in Threat Analytics, and new data connectors for CrowdStrike, Imperva, AWS, and Logstash. Together, these innovations help security teams control costs, stay ahead of emerging threats, and broaden visibility without added complexity.

Read on to learn what's new with Sentinel.

What's new

OSINT reports in Threat Analytics [Preview]

Customers can now consume curated OSINT articles alongside Microsoft-authored Threat Analytics reports, all in one place. (OSINT, or open-source intelligence, is any information readily available to the public.) These OSINT articles come enriched, as detailed in the following list, to help security teams move quickly from awareness to action.

What’s included:

Curated OSINT articles derived from trusted open-source research

Clear summaries with links back to original sources

Extracted indicators of compromise (IOCs)

Mapped MITRE ATT&CK tactics and techniques

Microsoft enrichment, analysis, and recommended actions (when available)

By bringing OSINT directly into Threat Analytics, we’re reducing context switching, improving analyst efficiency, and helping customers operationalize open-source intelligence faster within their Defender workflows. Learn more.

Cost limit enforcement for KQL queries and notebooks [Preview]

Sentinel data lake cost policies do more than just send an alert when usage gets too high. You can set hard limits for KQL queries, jobs, and notebook sessions that block new work once a threshold is exceeded, eliminating surprise bills from runaway queries or heavy workloads. For example, instead of finding out about cost spikes after you run large queries against the data lake tier, enforcement stops further queries before the damage is done. Anything already running still finishes normally, and you get clear messaging about what happened and what to do next. You can lift guardrails temporarily, adjust thresholds, or disable enforcement on the fly. Learn more.

Figure 1: Create cost management policies in the Microsoft Defender portal to automatically block new queries and jobs when usage limits are exceeded

Sentinel data connectors

With 380 Sentinel data connectors, customers achieve broad visibility into complex digital environments and can expand their security operations effectively. Below are the latest updates.

CrowdStrike API Connector [Generally Available]

The CrowdStrike API Connector ingests logs from CrowdStrike APIs into Sentinel, fetching details on hosts, detections, incidents, alerts, and vulnerabilities from your CrowdStrike environment.

Imperva Cloud WAF [Preview]

The Imperva Cloud WAF data connector ingests Imperva logs into Sentinel through AWS S3 buckets, giving you visibility into web application traffic and threats detected by your Imperva deployment for monitoring, investigation, and threat hunting in Sentinel.

AWS Elastic Load Balancer (ELB) [Preview]

This connector allows you to ingest AWS Elastic Load Balancer (ALB, NLB, and GLB) logs into Sentinel. These logs contain detailed records for requests handled by your load balancers, including client IPs, latencies, request paths, and status codes. These logs are useful for monitoring traffic patterns, investigating anomalies, and ensuring security compliance.

Logstash Output Plugin [Preview]

For organizations that rely on Logstash to collect from on-premises, legacy, or air-gapped environments, the Sentinel Logstash Output Plugin has been rebuilt in Java to align with Microsoft's Secure Future Initiative (SFI) and provide improved security and long-term maintainability. The plugin uses the Azure Monitor Logs Ingestion API with Data Collection Rules (DCRs), giving you full schema control and the ability to ingest directly into Sentinel data lake as well as standard Sentinel tables. Learn more.

Sentinel data federation [Preview]

Sentinel data federation enables unified visibility and security analytics across federated and ingested data, without compromising data governance. Security teams can quickly query data in Microsoft Fabric, Azure Data Lake Storage (ADLS) Gen2, and Azure Databricks directly from Sentinel, no data movement required. This approach allows teams to explore data broadly through federation, then selectively ingest what matters most into Sentinel to unlock advanced detections, automation, and AI‑powered analytics. Learn more.

Figure 2: Federated data appears alongside native Sentinel tables for unified investigation and hunting

Sentinel cost estimation tool [Preview]

Customers and partners can confidently estimate Sentinel costs using the cost estimation tool. With meter-level guidance, you can model ingestion across analytics and data lake tiers, compare retention options, and estimate compute costs. Built‑in projections of up to three years offer transparency into spend, making it easier to plan, optimize, and share estimates. Try the Sentinel Cost Estimator.

Figure 3: A guided, meter-level Sentinel cost estimator with three-year projections helps organizations model data growth, predict spend, and plan Sentinel adoption with confidence.

Microsoft Entra and Azure Resource Graph (ARG) connector enhancements [Preview]

Enable new Entra assets (EntraDevices, EntraOrgContacts) and ARG assets (ARGRoleDefinitions) in existing asset connectors, expanding inventory coverage and powering richer, built‑in graph experiences for greater visibility.

Create workbook reports directly from the data lake [Preview]

Sentinel workbooks can directly run on the data lake using KQL, enabling you to visualize and monitor security data straight from the data lake. By selecting the data lake as the workbook data source, you can create trend analysis and executive reporting.

Custom graphs [Preview]

Custom graphs let you model relationships unique to your organization using data from Sentinel data lake, non-Microsoft sources, and federated data sources, all powered by Fabric. Instead of stitching together dozens of tables manually, you can build graphs that surface blast radius, trace attack paths, map privilege chains, and spot structural outliers like unusually broad access or anomalous email exfiltration. You can generate custom graphs using AI-assisted coding in the Microsoft Sentinel VS Code extension, persist them via a schedule job, and access them in the graphs experience in the Defender portal. Run Graph Query Language (GQL) queries, visualize results, and interactively traverse the graph to the next hop with a single click. These graphs also provide the knowledge context that enables AI-powered agent experiences to work more effectively, speeding investigations and helping you move from disconnected alerts to confident decisions at scale. Custom graph API usage for creating and querying graphs is billed according to the Sentinel graph meter. Learn more.

Figure 4: Query, visualize, and traverse custom graphs with the graph experience in Sentinel

MCP entity analyzer [General availability]

Entity analyzer provides reasoned, out-of-the-box risk assessments that help you quickly understand whether a URL or user identity represents potential malicious activity. It analyzes data across threat intelligence, prevalence, and organizational context to generate clear, explainable verdicts you can trust. Entity analyzer integrates with your agents through Sentinel MCP server connections to first-party and third-party AI runtime platforms, or with your SOAR workflows through Logic Apps. It also serves as a trusted foundation for the Defender Triage Agent, delivering more accurate alert classifications and deeper investigative reasoning. Entity analyzer is billed based on Security Compute Units (SCU) consumption. Learn more about entity analyzer and MCP billing.

Figure 5: Entity analyzer delivers explainable, multi-signal risk assessments for URLs and user identities directly within your investigation workflow

Sentinel MCP graph tool collection [Preview]

Graph tool collection helps security teams visualize and explore relationships between identities and device assets, threats, and activity signals ingested by data connectors and alerted by analytic rules. The tool provides a clear graph view that highlights dependencies and configuration gaps, which makes it easier to understand interactions across environments. This tool helps security teams assess coverage, optimize content deployment, and identify areas that may need tuning or additional data sources—all from a single, interactive workspace. Executing graph queries via the MCP tools triggers the graph meter.

Claude MCP connector [Preview]

Anthropic Claude can connect to Sentinel through a custom MCP connector, giving you AI-assisted analysis across your Sentinel environment. Microsoft provides step-by-step guidance for configuring a custom connector in Claude that securely connects to a Sentinel MCP server. With this connection you can summarize incidents, investigate alerts, and reason over security signals while keeping data inside Microsoft's security boundary. Access to large language models (LLMs) is managed through Microsoft authentication and role-based controls, supporting faster triage and investigation workflows while maintaining compliance and visibility.

CVEs of interest in the Threat Intelligence Briefing Agent [Preview]

The Threat Intelligence Briefing Agent delivers curated intelligence based on your organization’s configuration, preferences, and unique industry and geographic needs. The agent surfaces Common Vulnerabilities and Exposures (CVEs) of interest, highlighting vulnerabilities actively discussed across the security landscape and assessing their potential impact on your environment for more timely threat intelligence insights. The agent automatically incorporates internet exposure data powered by the Sentinel platform to surface threats targeting technologies exposed in your organization. Together, these enhancements help you focus faster on the threats that matter most, without manual investigation.

Additional resources

Blogs and documentation:

Webinars and training:

Stay connected

Check back each month for the latest innovations, updates, and events to ensure you’re getting the most out of Microsoft Sentinel. We’ll see you in the next edition!

Work IQ API Public Preview: Build Copilot Powered Agents with A2A

tolgaki — Thu, 30 Apr 2026 20:22:39 GMT

Today, the Work IQ API is available in public preview, expanding access to the same underlying intelligence capabilities used by Microsoft 365 Copilot for developers and partners.

Work IQ gives developers programmatic access to Copilot so you can build agents and apps that use Copilot’s grounding, context, and reasoning without wiring raw data or permissions. In this public preview, that access is exposed in three formats—Agent‑to‑Agent (A2A) for agent collaboration, Model Context Protocol (MCP) for IDEs and tools, and REST for app integrations—letting you choose the right surface for your scenario while relying on the same intelligence runtime.

Work IQ continuously builds context through memory and a semantic index across organizational data, Microsoft 365, line‑of‑business systems, and external sources. The result is a unified foundation for building agents, applications, and workflows grounded in how work actually happens, with enterprise‑grade security and governance built in by default.

With the Work IQ API, developers build on permission‑aware intelligence—context, intent, signals, and skills—so applications and agents understand what’s in motion, what’s been decided, and what needs attention next.

For developers, this means:

No raw data wiring: Work with intelligence instead of directly accessing emails, files, or chats.
No orchestration overhead: A single runtime handles context assembly, grounding, skill selection, and tool invocation.
No security rework: Enterprise compliance, governance, and access controls are inherited automatically.

Where Work IQ API is available

Work IQ API meets developers where they are, supporting four protocols that share the same underlying intelligence runtime. This means that the behavior, grounding, and response quality stay consistent across every surface.

Model Context Protocol (MCP) — local server (available now): Works with GitHub Copilot through the Work IQ CLI, giving MCP-compliant agents governed access to organizational context as tools and resources directly from their IDE or CLI workflow.
Agent-to-Agent (A2A), new in this public preview: A cloud-hosted protocol that enables custom agents to interact directly with Copilot intelligence as a peer—delegating work, receiving grounded responses, and maintaining context across interactions.
REST (coming May 2026): Standard request/response access to Work IQ intelligence for applications and integrations that don't require streaming or agent-to-agent coordination.
Model Context Protocol (MCP) — remote server (coming May 2026): A hosted MCP server exposing a standard set of tools and skills for interacting with M365 data, so any MCP-aware surface can connect to Work IQ without running a local server.

What’s new: Agent-to-Agent (A2A) protocol

This public preview introduces the Agent‑to‑Agent (A2A) protocol, which allows custom‑built agents to interact directly with the intelligence layer behind Copilot. Over time, A2A will expand to support collaboration across a broader set of agents and tools that support A2A or MCP, meaning agents can work together with specialized, organization‑aware capabilities.

With A2A, agents communicate as peers. Rather than calling a traditional API and parsing a response, an agent can delegate work to another agent running on Work IQ—an agent with access (subject to the user’s and tenant’s permissions) to organizational context across emails, meetings, files, and conversations—and receive responses that are grounded in enterprise data and governed by the same security and compliance policies.

Here’s what that looks like in practice: a single A2A message sent to a Copilot agent using standard .NET A2A SDK:

var credential = new InteractiveBrowserCredential(clientId);
        var token = await credential.GetTokenAsync(new (["api://workiq.svc.cloud.microsoft/WorkIQAgent.Ask"]));
        var httpClient = new HttpClient();
        httpClient.DefaultRequestHeaders.Authorization =
            new AuthenticationHeaderValue("Bearer", token.Token);

        // Create an A2A client that talks to the default WorkIQ agent endpoint, using the authenticated HttpClient
        var client = new A2AClient(new Uri("https://workiq.svc.cloud.microsoft/a2a/"), httpClient);

        // Compose a query
        var question = "What meetings do I have tomorrow that I need to prepare for?";

        // Send the query and WorkIQ returns an A2A task that when complete will contain
        //  a grounded, permission-trimmed answer
        var response = await client.SendMessageAsync(new SendMessageRequest
        {
            Message = new Message
            {
                MessageId = Guid.NewGuid().ToString("N"),
                Role = Role.User,
                Parts = [Part.FromText(question)]
            }
        });

Developers can rely on Work IQ to handle common retrieval and permission-enforcement tasks, reducing the need to build and maintain custom pipelines. The full working samples (C#, Rust, and Swift) are available here.

What A2A unlocks for developers

Multi-agent collaboration: Your agents delegate to Copilot agents that understand organizational context.
Embedded intelligence via agents inside SaaS products that tap into a customer’s real work context.
Enterprise assistants tailored to specific roles, powered by Copilot’s grounding and reasoning.
Autonomous workflows where agents hand off tasks, track progress, and exchange structured artifacts.

See A2A in action

The demo above shows an agent sending a natural-language request to Copilot via A2A and receiving a streamed, grounded response—backed by the user’s real organizational data, with no custom retrieval or permissions code. Try it yourself with the Work IQ samples on GitHub.

How developers can use Work IQ API

Whether you’re connecting agents via A2A, surfacing organizational context through MCP in developer surfaces like IDEs and CLIs, or embedding conversational experiences via REST, the patterns share a common foundation.

A2A is the natural fit when your agent needs to collaborate with Copilot intelligence as a peer—delegating work, receiving structured results, and maintaining context across interactions. For example, a sales enablement agent could ask to pull together a customer's recent email threads, meeting notes, and shared documents, then use that grounded summary to auto-generate a pre-call brief—without ever touching the raw data itself.

MCP is ideal when you need to expose Work IQ data as tools and resources to an existing MCP-compliant agent using standard protocols and tooling, without needing custom, one-off connections. For example, with the Work IQ CLI running as a local MCP server, a developer using GitHub Copilot can ask, "What did the team decide about the migration timeline?" and get an answer grounded in actual emails, meeting transcripts, and chat threads—right inside their IDE, without leaving their coding workflow.

The common thread across these approaches is a shift from isolated AI features to agent‑driven systems that stay aligned with how work actually unfolds.

Security and governance

Developers can rely on Work IQ for common security and compliance controls. The Work IQ API draws a clear platform boundary between data access and intelligence:

Permissions: User and tenant permissions, conditional access policies, and sensitivity labels are automatically enforced.
Responses: Permission-trimmed by design.
Compliance: All activity operates within the same audit, compliance, and data-loss-prevention boundaries as Microsoft 365.

Because the API exposes intelligence rather than raw data, applications cannot accidentally bypass tenant security or create shadow-AI risks. Agents operate within the tenant’s existing security and compliance controls from day one.

What comes next for Work IQ

Users with the appropriate license will be able to access Work IQ in customer and partner apps and agents starting today.

General availability is planned for summer 2026. The Work IQ API will also be available to unlicensed users on a consumption basis in summer 2026.

We will continue to add more to the Work IQ API in the coming weeks and months. Our investments will target three areas:

M365 Agent access, enabling more M365 agents to work with and alongside agents across the Copilot ecosystem, unlocking richer multi-agent collaboration patterns.
Remote MCP server public preview, exposing Work IQ as tools and related skills for MCP-compliant agents, so any MCP-aware surface can access governed organizational context.
Deeper connection and richer intelligence, expanding across platforms and developer tools in addition to building on top of organizational data with contextual grounding, skills, and tools.

Resources

Building with the Work IQ API and have questions? Join our developer communities for support:

Microsoft Q&A: Microsoft Copilot | Microsoft 365 Copilot | Development
GitHub: Work IQ GitHub repository: microsoft/work-iq: MCP Server and CLI for accessing Work IQ
Reddit: copilotstudio or microsoft_365_copilot subreddits
Documentation: Microsoft Work IQ API (preview) | Microsoft Learn
Samples: https://github.com/microsoft/work-iq-samples

We can’t wait to see what you build.

Accelerating the Flow of Learning

MikeTholfsen — Thu, 30 Apr 2026 18:07:39 GMT

By Vince Frankson, Authentica Solutions | Guest Post via the Microsoft Education Blog

Education technology leaders are not short on vision; they are short on time. They know exactly what their Microsoft 365 environment is capable of. What they deserve are better tools, smarter automation, and a partner that shows up ready to serve.

At Authentica Solutions, we pride ourselves on our culture of servant leadership, not just as a slogan, but as our guiding principle. Our mission is to support and serve district technology teams, ensuring that technology enhances their valuable work rather than making it more complex.

Everything we build is organized around one purpose: accelerating the flow of learning. Not technology for its own sake... tools and services focused at getting teachers back to teaching, students back to learning, and district leaders back to the decisions that matter most.

With the school year winding down and Back to School planning already on the horizon, there is no better moment to look at where your Microsoft 365 environment stands, and how the right tools and the right team can compress your timeline, free your people, and make this the smoothest Back to School launch yet.

District Technology Teams Deserve Better Tools

K-12 technology leaders oversee complex systems, sometimes across multiple campuses, and support a wide range of users. While Microsoft 365 offers advanced features, many remain underused due to the time and expertise required for full implementation.

Microsoft’s School Data Sync (SDS) is a great example. It is a genuinely powerful free service that automates the flow of student roster and identity data from your Student Information System (SIS) into Microsoft Entra ID, provisioning Teams classrooms, Intune device groups, SharePoint sites, and OneNote Class Notebooks automatically, at scale. The platform is exceptional. Fully configuring it, keeping it healthy across an academic year, and extending its value into the rest of the data ecosystem is specialized work that deserves specialized support.

Authentica addresses this gap by providing support so school IT teams can focus on high-impact tasks, helping educators and students achieve more.

Authentica seed™: Built to Accelerate the Flow of Learning

Authentica seed™ is Authentica’s Education Intelligence Cloud Service, designed to streamline learning by enabling clean, automated, bidirectional data pipelines. This allows teachers to access rosters quickly, students to begin learning immediately, and administrators to monitor instruction in real time, accelerating progress for everyone.

Getting Your Data into Microsoft 365

seed™ sits between your SIS and SDS, handling data preparation, mapping, and delivery so your team can focus on higher-value work. Districts that previously invested significant time in validation cycles and configuration troubleshooting are reaching full value in a fraction of the time.

Automated SIS-to-SDS delivery with built-in validation, so errors are caught before they ever reach your tenant.
Support for OneRoster API and CSV formats across all major SIS platforms, meeting your district where it already is.
Automatic provisioning of users, classes, and groups across Microsoft Entra ID, Teams, SharePoint, Exchange, and Intune for Education.
Manage Student Age Groups to limit or support access to Microsoft Copilot for students 13+.

Every hour returned from focusing on the data pipeline is an hour returned to learning. That is Cloud with Purpose.

Getting Your Data Back Where It Belongs

Learning does not stop at the edge of Microsoft 365, and neither should your data. seed™ closes the loop by moving grade data, assessment data, and engagement signals back to the platforms that need them, automatically.

Back to your SIS: Keeping your system of record current and authoritative without double grade entry.
To your Analytics platform: Giving administrators and instructional coaches visibility into what is working, event making Microsoft 365 activity visible, without waiting for manual exports.
Building your dream data estate: What if you could combine your academic and instructional data, your operations and staff data, and your financial data into a single place? What if you could have it prepped and ready so you can ask questions with Copilot and / or AI Agents.
- Which schools have the most students off track right now? Top 5, and why.
- Where are we spending the most with the weakest results? Top 3.

One connected data ecosystem. Compounding the return on every platform investment your district has made and accelerating the flow of learning throughout.

UsageIQ™ Microsoft 365 Edition: Giving Leaders the Visibility They Deserve

District technology leaders make consequential decisions about licensing, training, and support every year. They deserve data that makes those decisions clear. Authentica UsageIQ™ Microsoft 365 Edition was built to provide exactly that: a straightforward, actionable picture of how your Microsoft 365 environment is being used across the organization.

Not a consultant engagement. Not a manual pull from the admin portal. A purpose-built, single view of your tenant that tells you what you need to know, when you need to know it.

App-by-app usage across your tenant: Teams, SharePoint, OneDrive, Exchange, OneNote, and more, in one place.
School-by-school and role-based breakdowns: See where adoption is strong and where targeted support would unlock real value.
License utilization insights: Ensure every seat is earning its value and renewal conversations are grounded in actual usage data.
Back to School readiness views: Identify accounts and configurations that need attention before day one, not after.

When technology leaders can see clearly, they lead confidently. That visibility is not a luxury. It is what great tools are supposed to deliver.

Managed Services for Microsoft 365: A Team That Has Been Here Before

At Authentica, we deliver Managed Services with a servant leadership mindset. We're not just a helpdesk, our team has years of experience at Microsoft, having built education solutions like SDS, Teams for Education, and Graph APIs. We support your district as an expert extension to handle critical Microsoft 365 tasks efficiently, allowing your technology staff to focus on their key responsibilities.

What Managed Services for Microsoft 365 Covers

End-of-Year close support for SDS expiration management, tenant cleanup, graduating account archiving, and identity hygiene, handled on time and on spec so your team can close the year cleanly.
Back to School launch for new year SDS configuration, classroom provisioning, device group refresh, and Conditional Access review, so teachers walk into a working environment on day one.
Ongoing SDS health monitoring and proactive troubleshooting, so issues are resolved before they become incidents
Microsoft Entra ID and identity management support across the full user lifecycle.
Teams for Education configuration, governance, and adoption enablement.
Intune for Education device policy and deployment support.
Copilot readiness assessment and enablement, so your district is positioned for AI-powered learning when you are ready to move.

This is what it looks like when your Microsoft 365 environment has a team behind it that is fully committed to your success, not just at launch, but every day.

End of School Checklist: Five Things Worth Doing Before Summer Break

These are the actions that make Back to School smoother, faster, and less reactive. Your team knows this; this is a reminder of what is worth prioritizing before the calendar turns.

Audit Microsoft Entra ID for inactive and graduating accounts. Clean identities now mean a cleaner, more secure tenant heading into the new year, and fewer licensing surprises at renewal.
Review your SDS sync health. Check error and warning logs now. Small data issues that are easy to address in the spring become August emergencies. Get ahead of them while there is room to breathe.
Check your Microsoft 365 license utilization. If you are on A3 or A5, are those features actively working for your district? UsageIQ™ Microsoft 365 Edition can show you the full picture and give you a clear story heading into renewal season.
Archive Teams classes from the current year. Establish your retention and archival approach before the new year roster drop. A clean tenant makes everyone faster, IT, teachers, and students.
Plan your Back-to-School timeline now. Microsoft School Data Sync (SDS) provisioning for a large district takes time. Build in buffer, engage your support resources before August, and set your team up to launch the year confidently instead of reactively.

We Are Here to Serve

Authentica Solutions is offering a complimentary Microsoft 365 Readiness Assessment for districts that want a clear picture of where they stand before the new year begins. This is a straightforward conversation with our team, people who have been inside these systems for years, helping you identify what is working, what is ready to unlock, and where the right tools can return the most value.

No pressure. Just expertise, in service of your district and the learning that happens inside it.

Let’s talk to schedule your complimentary Microsoft 365 Readiness Assessment.

About Authentica Solutions

Authentica Solutions is an EdTech company grounded in servant leadership and built around one purpose: accelerating the flow of learning. Our team, including former Microsoft engineers who built core Microsoft 365 education products, serves K-12 districts through seed™, UsageIQ™, reachAI™, and Managed Services for Microsoft 365. Cloud with Purpose. Visit www.authenticasolutions.com

Microsoft named a Leader in the 2026 Gartner® Magic Quadrant™ for Document Management

Matt-Taylor — Thu, 30 Apr 2026 21:23:14 GMT

AI is raising the bar for document management. It’s no longer enough to store and share files— content needs to be governed, structured, and connected to the way teams actually work so AI can reason over it responsibly and help people move from information to action.

That’s why we’re excited to share that Microsoft has been named a Leader in the 2026 Gartner® Magic Quadrant™ for Document Management, positioned highest for Ability to Execute.

We believe this recognition reflects the investments we’ve made in making SharePoint and OneDrive the unified knowledge platform at the heart of Microsoft 365, keeping content trusted and compliant, while making it more discoverable, more actionable, and more valuable as AI adoption accelerates.

In our view, this recognition is also a reflection of the customers and partners who build with us. Every day, users create 2 million new SharePoint sites, add 2 billion files, and run 3 billion automated workflows on SharePoint content each week, a scale that reflects how deeply document management is embedded in daily work. We’re excited to keep building what’s next with you.

Grounding Copilot in governed content

SharePoint and OneDrive serve as the trusted content layer for Microsoft 365 Copilot, giving AI a single, governed foundation to reason over. Over the past year we’ve deepened that connection across sites, files, and even encrypted content.

Reasoning over sites: Copilot reasons across SharePoint sites and libraries, understanding pages, files, and metadata together to answer questions with full site context and governance.
Reasoning over files (including encrypted content): Copilot can reason over individual SharePoint files — including image-level understanding in PowerPoint — and it can do so even when content is encrypted, while honoring permissions, sensitivity labels, and security policies.
Connect Copilot Studio and Foundry to SharePoint: Use SharePoint and OneDrive as a trusted knowledge source for agents built in Copilot Studio and Foundry, so they can retrieve grounded answers from governed content while respecting the same permissions and compliance controls.
AI-powered document insights: Every SharePoint site has an agent that can answer questions about site and library contents. Users can do scoped Q&A over one or many files, summarize, compare, and generate FAQs in one click, or listen to an Audio Overview of a file on the go.

AI-assisted work in SharePoint

AI in SharePoint is available now in public preview, so you can go beyond answering questions to getting real content work done right where your files live.

Turn ideas into execution: Describe the outcome you want and SharePoint proposes a structured plan — spanning sites, pages, libraries, lists, and starter content — so you can review and iterate before anything is created. With a single prompt, you can also kick off multi-step content work across SharePoint assets, staying in control to review, adjust, or interrupt as SharePoint executes.
Teach AI how your team works: Capture shared skills and context at the site level so one person can encode standards and everyone benefits. Skills help ensure consistent outputs, applying the same rules regardless of who asks or when.
From content chaos to Copilot ready: SharePoint keeps content structured, current, and governed with automated metadata tagging and proactive site health monitoring, so Copilot and agent experiences across Microsoft 365 are more relevant and reliable.

A modern, intuitive experience

We continue to invest in the fundamentals — fresh, clean, consumer-grade experiences that make content easier to find, author, and act on.

New SharePoint experience (rolling out now): A visual refresh and simpler navigation oriented around three core jobs: discovering what’s new, publishing content, and building solutions. Includes new front doors like Discover, Publish, and Build plus a new app bar that makes it faster to move across SharePoint and get back to the content you need.
Refreshed document libraries: A modernized UX with built-in AI actions and forms for file intake, bringing insights, actions, and collection into the library experience.
Page authoring and news publication: Best-in-class web authoring with flex sections, editorial cards, design ideas, motion, fine-grained image controls, and hero carousels. Viva Connections dashboards are now available on all SharePoint sites, with a new news feed that’s both user-personalized and tenant-programmable.

Strengthened governance and trust

Scaling AI on content only works if the content layer is governed and secure. This past year we delivered significant advances across governance, lifecycle, and data protection.

Copilot-ready content governance: SharePoint Advanced Management (SAM) delivers permission state reports to detect overshared sites and content, and Restricted Content Discovery lets admins exclude sites that aren’t ready for Copilot.
Content lifecycle management: SAM’s Inactive Sites Policy and Ownership Policy identify stale or unmanaged sites and drive remediation at scale.
Unified data protection with Microsoft Purview: Dynamic watermarking and broader label support extend protection across content types.
Records management in Purview: Multi-stage disposition through retention labels (up to five stages) enables multiphase review, relabeling, extension, and defensible deletion across Microsoft 365.

Content management and industry solutions at scale

As content management needs grow, customers want a single solution that blends secure collaboration with records, compliance, and line-of-business content, built for how specific industries and roles operate. SharePoint and OneDrive provide a flexible, governed foundation for regulated and high-volume content processes.

Governance by default: Metadata, retention, sensitivity labels, and permissions stay with content, supporting audit-ready control for regulated industries like financial services, healthcare, and the public sector.
Role-based experiences: Build repeatable journeys for HR, legal, and operations, from onboarding and case files to contract review, approvals, and publishing.
Secure internal and external collaboration: Enable controlled sharing for customer onboarding, vendor management, and partner workflows while maintaining policy enforcement and admin visibility.
AI-ready content: Keep information organized and trusted so Copilot and agents can deliver more relevant, permission-aware answers and next actions, especially for high-stakes roles working with sensitive content.
Connected with Microsoft 365 apps: Enter and update SharePoint metadata directly from Word; request and sign documents with eSignature from Word and PDFs in SharePoint; use AI-powered document assembly to generate compliant Word documents from approved templates; and rely on a single “hero link” per file that controls all access — no more juggling multiple sharing links.

Learn more about SharePoint, OneDrive, and Microsoft 365 Copilot

We remain committed to making content governed, intelligent, and AI-ready — so every document in your organization can become knowledge that moves work forward.

Start using Microsoft 365 Copilot today. Visit Microsoft365.com/copilot or download the Microsoft 365 Copilot app.
Learn about Microsoft SharePoint: https://www.microsoft.com/en-us/microsoft-365/sharepoint/
Learn about SharePoint’s latest AI capabilities: https://aka.ms/SharePointAI
Read more about 2026 Gartner® Magic Quadrant™ for Document Management: https://aka.ms/2026GartnerDocMgmtMQReport

Gartner, Magic Quadrant for Document Management, Tim Nelms, Jed Cawthorne, Rachel O’Farrel, Marko Sillanpaa, Stephen Emmott, April 28, 2026.

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner and Magic Quadrant are trademarks of Gartner, Inc., and/or its affiliates.

*This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request here.

Dynamically remove apps from managed Windows 11 devices

Ingrid_Allen — Thu, 30 Apr 2026 18:00:00 GMT

You can now use policy to remove select pre-installed Microsoft Store apps on devices running Windows 11, version 25H2 or version 24H2. We've also made a significant update to this policy: a dynamic app removal list. This feature lets you remove any preinstalled MSIX/APPX app by referencing its Package Family Name (PFN).

What's the benefit? Fewer unwanted apps, simpler provisioning, and a more tailored desktop for your users. Just use a standard, policy-based approach that integrates with Microsoft Intune and Group Policy. This policy, called "Remove default Microsoft Store packages from the system," is available only on Enterprise and Education devices. The improvements are available starting with the April 2026 Windows non-security update. Additional Intune capabilities are coming.

Dynamic app removal list

Microsoft offers a set of robust policy controls to help you customize app availability for your users. With the latest updates to the RemoveDefaultMicrosoftStorePackages policy, you can now remove any MSIX/APPX packaged app. Just add its Package Family Name (PFN) to the new dynamic app removal list. Today, you can use Group Policy Object (GPO) or custom OMA-URI for mobile device management (MDM).

Group Policy

Here's how you can make it work using Group Policy:

Find the app's PFN using PowerShell. Use the following example, replacing "Notepad" with your desired app:
```
Get-AppxPackage *Notepad* | Select-Object PackageFamilyName
```
Open Group Policy Editor (gpedit.msc). Navigate to Computer Configuration > Administrative Templates > Windows Components > App Package Deployment and select Remove default Microsoft Store packages from the system.
Add the PFN to the multi-text list under Specify additional package family names to remove. Enter one package family name per line.

Custom OMA-URI

Alternatively, you can configure devices with the RemoveDefaultMicrosoftStorePackages Policy CSP. This ADMX-backed policy uses an XML payload to specify which apps to remove. For example, to remove Bing News and the Windows Alarms apps, see the last entry.

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/RemoveDefaultMicrosoftStorePackages
Data type: string

Value:

<enabled/>
<data id="WindowsFeedbackHub" value="false"/>
<data id="MicrosoftOfficeHub" value="false"/>
<data id="Clipchamp" value="false"/>
<data id="Copilot" value="false"/>
<data id="BingNews" value="true"/>
<data id="Photos" value="false"/>
<data id="MicrosoftSolitaireCollection" value="true"/>
<data id="MicrosoftStickyNotes" value="true"/>
<data id="MSTeams" value="false"/>
<data id="Todo" value="false"/>
<data id="BingWeather" value="true"/>
<data id="OutlookForWindows" value="false"/>
<data id="Paint" value="false"/>
<data id="QuickAssist" value="false"/>
<data id="ScreenSketch" value="false"/>
<data id="WindowsCalculator" value="false"/>
<data id="WindowsCamera" value="false"/>
<data id="MediaPlayer" value="false"/>
<data id="WindowsNotepad" value="false"/>
<data id="WindowsSoundRecorder" value="false"/>
<data id="WindowsTerminal" value="false"/>
<data id="GamingApp" value="true"/>
<data id="XboxGamingOverlay" value="true"/>
<data id="XboxIdentityProvider" value="true"/>
<data id="XboxSpeechToTextOverlay" value="true"/>
<data id="XboxTCUI" value="true"/>
<data id="DynamicRemovalList" value="Microsoft.BingNews_8wekyb3d8bbwe&#x0D;&#x0A;Microsoft.WindowsAlarms_8wekyb3d8bbwe"/>

The XML payload includes a static list of app names (preceded by "data id") and corresponding values. Apps with the value of "true" will be removed. Apps with the value of "false" won't be removed.

You can remove additional apps by adding them to the value field of the "DynamicRemoval List" at the end of the payload. Separate multiple apps by the HTML-encoded carriage return + line feed characters ( 
), indicating a new line between each app name.

IMPORTANT: If you create a custom OMA-URI, you must open the dynamic list entry in the registry once on each device to which the policy is targeted. This helps ensure the correct format for the items in the dynamic list. Here is the entry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\RemoveDefaultMicrosoftStorePackages

Once configured, change happens at provisioning or on next user sign-in. The device uninstalls the apps you specify in the following two areas:

The default checkbox selections
The dynamic PFN list

Removed apps remain blocked from reinstallation while the policy is active.

IMPORTANT:

Removing an app also removes any associated on-disk app data. Therefore, notify users in advance if they need to save local data.

You can't use the dynamic list to remove system components. These components aren't supposed to be removed.

Prepare for Microsoft Intune capabilities

The Intune settings catalog entry for this policy doesn't yet contain the dynamic list option. It will be available in the following months.

When this feature becomes generally available in Intune, search for "Remove Default Microsoft Store packages" in the settings picker to locate it.

During rollout of the updated RemoveDefaultMicrosoftStorePackages policy, devices in your environment might support different CSP versions. If a device receives a policy that doesn't match its supported schema, the policy might fail to parse and won't be applied.

To prevent this, maintain your existing policy for older devices. Create a separate policy that includes the new dynamic app removal list for newer devices. Use Intune assignment filters or targeting rules (such as OS version or update rings) to help ensure that each device receives a compatible policy.

Once all devices are updated, and Intune fully supports the new CSP, you can safely consolidate policies.

Extended support: Windows 11, version 24H2 and later

The updated app removal policy is now extended to Windows 11, version 24H2 Enterprise and Education editions. Originally, you could only use this feature on devices running Windows 11, version 25H2 or newer. If your organization has standardized on the 2024 release, you can benefit from policy-driven app management without a full OS version upgrade. The same Group Policy path and enforcement behavior apply to all supported versions.

Supported Windows versions: Windows 11, version 24H2 and later
Supported Windows editions: Enterprise and Education (Home and Pro remain unsupported)

IMPORTANT: Ensure that your devices have the latest cumulative updates installed to receive these improvements. You need at least the April 2026 Windows non-security update. If you're a Windows Insider, you'd have this feature with the March 13, 2026 builds in the Dev and Beta channels.

Control your preinstalled apps like a pro

With dynamic app removal, you can remove any preinstalled app with a simple policy change. Benefit from a cleaner, more controlled Windows experience across your organization, now on even more devices. Start planning this policy rollout across your enterprise today.

Have feedback? Share your thoughts in the Feedback Hub (accessible using the shortcut WIN + F) under Developer Platform > App Deployment.

Learn more with additional resources:

Building Futures Through Community: Creating Pathways into Tech

TinaStenderup — Thu, 30 Apr 2026 19:19:42 GMT

For the team behind Experts Live Denmark - organized by the Microsoft MVP & RD community in Denmark - this belief has shaped how they think about community: not just as a place to share knowledge, but as a space to open doors into the industry. That thinking is what led to the collaboration with ReDI School of Digital Integration Denmark.

ReDI supports women with migrant and refugee backgrounds through digital education, mentorship, and career guidance. But as the organizers of Experts Live Denmark recognized early on, skills alone are not enough. The missing piece is often access to real environments - to people, conversations, and experiences that make the industry tangible. This is where the collaboration comes in.

From Learning to Real-World Experience

Rather than treating volunteers as event support, the approach has been to create an experience that reflects how the tech community actually works. As MVP Morten Knudsen says: “Our collaboration is not just about inviting volunteers to an event. It is about empowerment, mentorship, visibility, and long-term career support.”

Geetanjali Hinda at the Experts Live Denmark 2026 appreciation Dinner

For volunteers like Geetanjali Hinda and Poorva Tumbde, that difference was immediately visible.

Geetanjali describes it as a turning point: “It felt like a direct bridge between learning and the professional tech community.” What stood out most was not just the scale of the event - but how it felt to be part of it: “There was no clear divide between volunteers, learners, and experienced professionals. Everyone was approachable and willing to engage.”

That openness is intentional. From the organizer perspective, creating an environment where people feel able to engage—not just observe - is what turns an event into an entry point. And for Geetanjali, it changed the experience entirely: “I didn’t feel like I was just supporting the event. I felt like I was contributing to it.”

Confidence Comes From Participation

For many entering a new country and job market, confidence can be one of the biggest barriers. Geetanjali speaks candidly about that reality: “Being a job-seeking expat, you tend to lose your confidence.” Working in a fast-paced, real-world setting helped shift that: “It reminded me of my communication and coordination skills… especially when dealing with last-minute changes.” More importantly, it changed how she approached her role: “I became more comfortable taking initiative and stepping in where needed without waiting for direction.” And something unexpected emerged: “Even without a formal role, I found myself thinking proactively and focusing on solutions.” This shift - from waiting to contributing - is exactly what the experience is designed to enable.

Seeing the Industry Up Close

Poorva Tumbde

For Poorva, the journey began through ReDI School itself: “It has been a meaningful bridge… helping us connect with and better understand Danish work culture.” Through that connection, she stepped into Experts Live Denmark and experienced the industry firsthand. What stayed with her most was the energy of the community: “The event brought together more than 1,400 attendees from diverse cultural backgrounds… What stood out to me was the passion shared by everyone involved.” But beyond the atmosphere, the experience helped expand her perspective: “I gained a better understanding of emerging technologies, the increasing role of AI… and how innovation is shaping the future of the tech industry.” Exposure to real conversations, real challenges, and real expertise helped turn abstract interest into something more concrete.

Learning by Doing

A key part of the experience is hands-on involvement. Poorva highlights the practical side: “I gained hands-on exposure to publishing a WordPress website, automating email communications using Microsoft Forms, and understanding the intricacies of event logistics.”

At the same time, Geetanjali’s experience reflects another dimension—learning how to operate in dynamic environments. Together, these experiences provide something difficult to replicate elsewhere:

Applying skills in real scenarios
Understanding how collaboration works in practice
Navigating uncertainty and adapting in real time
Building confidence through contribution

From the organizer perspective, this is the goal. Not just to expose participants to the industry - but to help them practice being part of it.

More Than Technical Skills

Both experiences point to a broader realization. For Poorva, it came through exposure to sessions and experts. For Geetanjali, it came through participation and interaction. As she puts it: “Being part of the tech industry is not just about technical skills, but also about collaboration and mindset.” This is a critical shift. Because entering the industry is not only about what you know - it’s about how you engage, contribute, and connect.

Geetanjali welcoming people at Experts Live Denmark 2026

Why This Collaboration Matters

From the perspective of Experts Live Denmark, the collaboration with ReDI School is about creating continuity in the journey into tech.

ReDI provides the foundation:

Skills
Learning
Initial network

The community provides the next step:

Real-world exposure
Practical experience
Professional confidence

By connecting the two, the gap between learning and working becomes smaller - and more navigable.

Looking Ahead

For both Poorva and Geetanjali, the experience did not end with the event. It shaped how they see their next steps. Geetanjali reflects this clearly: “Going forward, I want to combine my technical development with active participation in professional communities… showing up with a mindset of contribution, accountability, and curiosity.”

That mindset - more than any single skill - is what enables long-term growth. And it is exactly what collaborations like this aim to support. Because building a strong tech community is not only about sharing knowledge. It is about bringing more people into it - and helping them find their place within it.

Experts Live is a global network of community-driven conferences that brings together Microsoft executives, MVPs and community members sharing practical, real-world knowledge through sessions, conversations, and networking.

Experts Live Denmark is happening again on February 9-10, 2027.

Partner Blog | Driving channel velocity in an AI-first world: Microsoft Marketplace at Channel Partners Conference

JillArmourMicrosoft — Thu, 30 Apr 2026 17:30:00 GMT

The recent Channel Partners Conference & Expo brought together thousands of channel leaders, technology providers, and ecosystem partners to explore what’s next for the channel—and how partners can accelerate growth in a market being rapidly reshaped by AI. With an audience deeply focused on differentiation, scale, and customer value, the conference highlighted how cloud, AI, and modern commerce models are redefining the partner opportunity.

Microsoft Marketplace participated as a Platinum sponsor, reflecting the central role the channel plays as customers move AI from experimentation into production. As partners guide strategy, deployment, and outcomes, Marketplace provides the commercial foundation—connecting partners, software companies, and customers through flexible, channel-led sales models that scale.

“Microsoft Marketplace gives enterprise and SMC customers a direct path to procure Devicie against their Microsoft commitments, while our channel-led sales motion extends our reach through the trusted partner relationships that help customers achieve better device management outcomes.”

Connor O’Reilly, Channel Sales Manager, Devicie

Continue reading here

Prefix-scoped access for User Delegation SAS is now generally available for Azure Blob Storage

despindola — Thu, 30 Apr 2026 17:00:00 GMT

We would like to share that prefix-scoped access for User Delegation SAS for Azure Blob Storage is generally available in all Azure regions.

SAS tokens for Blob Storage have historically supported two levels of scope: container and individual blob. With this release, you can now scope access to a prefix or virtual directory within a container, granting access to all blobs beneath the path.

This is especially valuable for applications that organize data by tenant, workspace, project, or department within a shared container. Instead of granting access to an entire container or generating many blob-level tokens, you can now issue a single SAS token scoped to a set of blobs through a prefix.

For example, if a container has these blobs:

contoso/sales/Q1-report.csv

contoso/sales/Q2-report.csv

contoso/invoice.pdf

A SAS token scoped to the prefix contoso/sales would grant access only to the two sales reports. This simplifies manageability by not having to generate multiple blob scoped tokens which significantly reduces overhead to manage permissions for large scale data storage estates. In addition, it helps customers provide more scoped permissions to a certain set of blobs rather than broader permissions at a container level.

Prefix-scoped access is supported for both Blob and Data Lake storage accounts.

As a best practice, we recommend using Entra ID with RBAC or ABAC for least privilege access. If you need to use SAS for your use cases, we recommend using user delegation SAS and prefix-based scoping is a good option to consider for more scoped permissions for a certain set of blobs.

Pricing and Availability

There is no additional cost for prefix-scoped access for user delegation SAS. Pricing is based on standard transaction costs for your storage account type. To learn more, see Azure Storage Pricing. 

Prefix-scoped access for user delegation SAS is available in all Azure regions.

How to generate a prefix-scoped SAS

To generate and use a prefix-scoped SAS:

Identify the prefix (or virtual directory) you want to authorize.
Follow the steps in the documentation to create a prefix-scoped SAS for user delegation SAS.
Use the SAS token with your application.

Notes

Support for prefix-scoped access parameters is available with authorization version 2020-02-10 or later via REST API and .NET Blob SDKs starting with version 12.35.0-beta.1 and newer.
The semantics for prefix scope (sr=d) are similar to container scope (sr=c), except that access is restricted to a prefix. When creating a prefix-scoped SAS, you must specify the signedDirectoryDepth (sdd) to indicate how many directory levels from the container root to the specified directory. For example, to grant access to dir2 on path container1/dir1/dir2, set the directory depth (sdd) = 2 to indicate the SAS is scoped to dir2 and everything beneath it.
Below are .NET SDK and REST API examples for reference.

.NET SDK Sample Definition

BlobSasBuilder blobSasBuilder = new BlobSasBuilder( permissions: BlobContainerSasPermissions.All, expiresOn: Recording.UtcNow.AddDays(1)) { BlobContainerName = test.Container.Name, BlobName = blobName, IsDirectory = true, }; // Test using same name as SAS BlobUriBuilder blobUriBuilder1 = new BlobUriBuilder(test.Container.Uri) { BlobName = blobName, Sas = blobSasBuilder.ToSasQueryParameters(Tenants.GetNewSharedKeyCredentials()) }; AppendBlobClient appendBlobClient1 = new AppendBlobClient(blobUriBuilder1.ToUri(), GetOptions()); await appendBlobClient1.CreateAsync(); // Test using SAS name + suffix BlobUriBuilder blobUriBuilder2 = new BlobUriBuilder(test.Container.Uri) { BlobName = blobName + "/test", Sas = blobSasBuilder.ToSasQueryParameters(Tenants.GetNewSharedKeyCredentials()) }; AppendBlobClient appendBlobClient2 = new AppendBlobClient(blobUriBuilder2.ToUri(), GetOptions()); await appendBlobClient2.CreateAsync();

REST API Sample Request

GET https://myaccount.blob.core.windows.net/mycontainer

?restype=container

&comp=list

&prefix=dir1/dir2/

&sr=d

&sdd=2

&sp=rl

&sv=2024-11-04

&se=2026-04-22T06:00:00Z

&skoid=<signed-oid>

&sktid=<signed-tid>

&skt=2026-04-22T00:00:00Z

&ske=2026-04-22T08:00:00Z

&sks=b

&skv=2024-11-04

&sig=<signature>

Next Steps

For a deeper dive, explore these resources:

Help and Support

If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and you need technical help, create a support request:  

For Issue type, select Technical.  
For Subscription, select your subscription.  
For Service, select My services.  
For Service type, select Blob Storage.  
For Resource, select the Azure resource you are creating a support request for.  
For Summary, type a description of your issue.  
For Problem type, select Authentication and Authorization .
For Problem subtype, select Issues using Shared Access Signature (SAS Token).

Announcing Microsoft Drivers 5.13.1 for PHP for SQL Server

DavidLevy — Thu, 30 Apr 2026 17:00:00 GMT

Announcing Microsoft Drivers 5.13.1 for PHP for SQL Server

We have released Microsoft Drivers 5.13.1 for PHP for SQL Server (sqlsrv and pdo_sqlsrv). This patch release addresses several important bug fixes, including a security fix for access token handling in pooled connections and multiple stability improvements.

Bug Fixes

Access token identity leaking across pooled connections

When using access token authentication with connection pooling, connections with different tokens could share the same pool entry, causing identity cross-contamination and use-after-free. This release properly incorporates the access token into the connection pool key, ensuring connections are only reused when the token matches. (#1592, fixes #1396)

Prepared statement silently failing on insert

A prepared INSERT statement could silently fail when triggers or SET NOCOUNT OFF produce extra result sets, causing an implicit transaction rollback with MARS enabled. The driver now correctly handles this scenario. (#1590)

Fatal error re-executing prepared statements with varying result sets

Re-executing a prepared statement that returns multiple result sets with different column layouts could cause a fatal error. Metadata entries are now properly freed, and the internal vector is cleared between executions. (#1596)

sqlsrv_errors() returning null after failed connection

When a connection attempt failed and ODBC provided no diagnostic records, sqlsrv_errors() would return null instead of surfacing the error. Connection failures now consistently report the underlying error. (#1595)

Stream becoming invalid when statement goes out of scope

A binary stream could become invalid when the originating statement went out of scope, leading to undefined behavior or crashes. The driver now properly invalidates streams when their parent statement is destroyed. (#1598, fixes #1443)

Installation

PECL (Linux/macOS)

sudo pecl install sqlsrv sudo pecl install pdo_sqlsrv

Windows

Download the prebuilt binaries from the GitHub Releases page and follow the loading instructions.

Prerequisites

ODBC Driver: Microsoft ODBC Driver 17 or 18 for SQL Server
PHP: 8.3, 8.4, or 8.5

For detailed platform-specific installation steps, see the Linux and macOS installation guide.

Upgrading from 5.13.0

This is a drop-in hotfix release. No API changes, no configuration changes. Update via PECL or replace the DLLs on Windows.

If you are using access token authentication with connection pooling, we strongly recommend upgrading to this release.

Resources

Feedback

We welcome your feedback and contributions. Please file issues, feature requests and pull requests on our GitHub Issues page.