Sunday, December 31, 2023

Unlocking Efficiency and Collaboration: Implementing Microsoft Copilots in Your Organization

Introducing Microsoft 365 Copilot

Microsoft Copilot for Microsoft 365 combines the power of large language models (LLMs) with your organization’s data – all in the flow of work – to turn your words into one of the most powerful productivity tools.

In this blog post, I will dive into architecture of Microsoft 365 Copilot and explore how it can transform your digital experience, will also discuss the process of rolling out Copilot in your organization, offering practical tips and insights to ensure a smooth and successful implementation.

also, I covered highlights the numerous benefits that Microsoft 365 Copilot brings to the table. From improved efficiency and decision-making to reduced workload and increased employee satisfaction, Copilot has the potential to revolutionize the way you work.

How Microsoft 365 Copilot Works

At the core of Microsoft 365 Copilot is a large language model that processes user prompts from Microsoft 365 Apps. These prompts are sent to Copilot, which then accesses Microsoft's Graph and Semantic Index for pre-processing. The modified prompt is then sent to the large language model. Upon receiving a response from the large language model, Copilot accesses the Graph and Semantic Index for post-processing before sending the response and application command back to Microsoft

Microsoft 365 Copilot Architecture

Microsoft 365 Copilot employs a comprehensive architecture that ensures data security and privacy. The Azure OpenAI instance, used in processing the prompts, is maintained by Microsoft, ensuring that OpenAI has no access to the data or the model. Moreover, customer data does not leave the compliance boundary and is not used to train the foundation model. This architecture is designed to ensure that the AI acts responsibly, with all requests encrypted via HTTPS for additional security

Security, Compliance, and Privacy

Microsoft 365 Copilot is built on Microsoft's comprehensive approach to security, compliance, privacy, and Responsible AI. It has real-time access to your content and context within the Microsoft Graph, ensuring that your data is protected and utilized responsibly. Importantly, the Copilot inherits your security, compliance, and privacy policies set up in Microsoft 365, meaning your data doesn't leave the compliance boundary and isn't used to train the foundational model

Microsoft 365 Copilot Architecture consists of four main components:

Integration across Microsoft 365 apps like Word, Excel, PowerPoint, Outlook, Teams, Whiteboard, OneNote, Loop and M365 Chat. This component allows Microsoft 365 Copilot to work seamlessly with various Microsoft 365 apps, and help you with various tasks, such as writing, presenting, researching, or collaborating.

Custom Copilots enhance functionality, integrating with company data and external systems. These plugins allow Microsoft 365 Copilot to access and analyze your data, and provide you with relevant content or suggestions based on your context and needs.

Build your own copilots with Azure AI Studio, a platform that lets you access models from the Azure OpenAI service, as well as hundreds of open-source models. You can also integrate your own data, use pre-built Azure AI skills https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/build-your-own-copilots-with-azure-ai-studio/ba-p/4006387

Build custom copilots with Microsoft Copilot Studio Microsoft Copilot Studio is part of Microsoft Copilot, customize Copilot for Microsoft 365, or create your own standalone copilots for specific roles and functions using different Knowledge sources. Microsoft Copilot Studio | Extend Copilots or Create Your Own

Large language models (LLMs) are utilized for natural language processing and interaction. These models are the core of Microsoft 365 Copilot’s AI capabilities, as they enable it to understand natural language and generate relevant content or suggestions based on your data and context.

A semantic index based on Microsoft Graph The Semantic Index for Copilot creates a sophisticated map of your and your organizational data –identifying relationships and making important connections. It uses that conceptual understanding to determine your intent and help you find what you need. It is the Semantic Index that enables Microsoft 365 Copilot to deliver relevant, actionable responses to prompts –and do so in a secure, compliant, privacy-preserving way.

Business value of Microsoft Copilot:
Microsoft Copilot can add significant business value by boosting productivity, improving work quality, saving time, and enhancing user satisfaction.

•Productivity and Speed: 70% of Copilot users reported they were more productive, and users were 29% faster in a series of tasks1. On average, Copilot for Sales users reported saving 90 minutes a week2.
•Quality of Work: 68% of users said Copilot improved the quality of their work1.
•Email Processing: 64% of users reported that Copilot helps them spend less time processing email1.
•Drafting Documents: 85% of users said Copilot helps them get to a good first draft faster1.
•File Searching: 75% of users said Copilot “saves me time by finding whatever I need in my files”1.
•User Satisfaction: 77% of users said once they used Copilot, they didn’t want to give it up1.
What Can Copilot’s Earliest Users Teach Us About Generative AI at Work? (microsoft.com)
M365 Copilot Participation and Rolling out in your organization

EAP Participation: Customers signing up for the Microsoft 365 Copilot EAP will get access to Microsoft Copilot and onboarding guidance from Microsoft.

Creating a team: It's important to identify different stakeholders when rolling out Microsoft Copilot in your organization. These may include sponsors, ownership, required approvals in the process, funding and ongoing change management, early adopters (both technical and non-technical), legal, security, work council, IP, and champions.

Defining a strategy: Start by identifying the challenges and opportunities that Microsoft Copilot can address in your organization. How can Copilot make your users' daily work life better? How would you improve the current systems? What are the most important improvements? What would be considered success for those improvements? Create KPIs to measure that success.

Roll-out approach and timeline: Consider the segmentation of the roll-out approach - will it be business unit by business unit, role by role? Define a timeline for the roll-out and communicate it to all stakeholders.

Communication plan: Identify who needs to be informed (e.g. business users that will be part of the roll-out, champions, and executive sponsors) and when they need to be informed. Prior to the roll-out, explain the changes and how they will benefit the business users. Provide training resources and channels for the champions to help. Ask for feedback and provide feedback channels to ensure the implementation is relevant for the business users.

Introduction plan: The early adopters are a user group comprised of enthusiasts eager to try the latest and greatest. The champions are people who are willing to help others and need to have a good level of understanding of the new changes. Support needs to be aware of the new functionality being launched and be up to speed to troubleshoot and raise tickets to Microsoft Support. The business users need to have access to training materials in different formats – videos, documentation, etc. User trainings should be provided to ensure a smooth transition

For More Details : Microsoft 365 Adoption - Get Started

Microsoft 365 Copilot Apps

Microsoft Copilot (formerly Bing Chat) works on Microsoft Edge, Google Chrome, Safari, and Mobile Access here copilot.microsoft.com

iOS - https://apps.apple.com/us/app/microsoft-copilot/id6472538445

Android - https://play.google.com/store/apps/details?id=com.microsoft.copilot&hl=en&gl=US

Copilot in Teams

Note-taker for meetings • Provides meeting recaps and insights • Suggests discussion points

Copilot in Word

Create Word documents from simple prompts • Summarize long Word documents and pull out key information • Rewrite sections of text or entire documents to be more concise or match a certain ton

Copilot in PowerPoint

Convert Word docs into PowerPoint presentations • Use natural language to refine slide text, formatting, animations, and layout • Summarize lengthy presentations into key slides

Copilot in Excel

Apply relevant formulas/calculations to data based on prompts • Create visualizations like charts/graphs to represent data • Summarize trends and insights from data analysis

Copilot in Outlook

Adjust the tone and length of email responses through simple prompts • Schedule follow-ups, and create agendas based on previous email convos

Copilot in OneNote

Summarize your notes, create a to-do list, design a plan

Copilot in Loop

Plan, brainstorm, create, and collaborate easier to stay in sync

Copilot in Whiteboard

Creating, organizing, and understanding ideas has never been easier.

Generate free AI images

Co-pilot offers you free access to the incredibly powerful imager - DALL-E3.

Copilot in Windows 11

Copilot in Edge in Microsoft SwiftKey

Microsoft SwiftKey is a customizable keyboard that adapts to your writing style. Copilot in Edge is also now available in the SwiftKey toolbar and can be used for research and writing

Download the SwiftKey app in the Apple App Store or Google Play

Microsoft copilots overview and Learning path

Copilots Learning Path

Microsoft 365 Copilot – Skilling
Get started with Microsoft 365 Copilot Microsoft 365 Chat Teams Copilot Outlook Copilot Word Copilot PowerPoint Copilot Excel Copilot OneNote Copilot	MS-012 Prepare your organization for Microsoft 365 Copilot Prepare for Microsoft 365 Copilot: Part 1 – Copilot design and prerequisites: Prepare for Microsoft 365 Copilot: Part 2 – Administrative roles and Tenant health: Prepare for Microsoft 365 Copilot: Part 3 – Threat protection Prepare for Microsoft 365 Copilot: Part 4 – Protecting sensitive data
GitHub Copilot – Skilling
Get started with GitHub and Visual Studio Code GitHub Copilot Fundamentals - Understand the AI pair programmer Getting started with GitHub Copilot Related IT Skills Course AZ-900T00: Microsoft Azure Fundamentals Course AZ-204T00: Developing Solutions for Microsoft Azure Course AZ-400T00: Designing and Implementing Microsoft DevOps solutions
Power Platform Copilot – Skilling
Create Power Platform solutions with AI and Copilot Related IT Skills Course PL-900T00: Microsoft Power Platform Fundamentals Course PL-100T00: Microsoft Power Platform App Maker Course PL-400T00: Microsoft Power Platform Developer
Microsoft Security Copilot – Skilling
TBD (https://www.microsoft.com/en-us/security/business/ai-machine-learning/microsoft-security-copilot) Related IT Skills Course SC-200T00: Microsoft Security Operations Analyst Course SC-300T00: Microsoft Identity and Access Administrator Course SC-400T00: Administering Information Protection and Compliance in Microsoft 365 Course SC-100T00: Microsoft Cybersecurity Architect
Microsoft Fabric Copilot – Skilling
https://azure.microsoft.com/en-us/blog/introducing-microsoft-fabric-data-analytics-for-the-era-of-ai/) Related IT Skills Course DP-900T00: Microsoft Azure Data Fundamentals Course PL-300T00: Microsoft Power BI Data Analyst Get started with Microsoft Fabric Course DP-601T00: Implementing a Lakehouse with Microsoft Fabric Implement Real-Time Analytics with Microsoft Fabric: Ingest data with Microsoft Fabric Implement data science and machine learning for AI in Microsoft Fabric
Custom Copilots Gen AI powered Apps
Course AI-050T00---A: Develop Generative AI Solutions with Azure OpenAI Service - Training \| Microsoft Learn

Conclusion

Microsoft EAP is a paid program, so please make sure you have a good Adoption plan before you begin the program. This step is crucial for the success of the program. If you don't implement these adoptions plan properly, you may not be able to complete the program.

The topic of oversharing is important, because it can affect the security of your data and lead to unintended access. Currently, Microsoft does not have default tools to check for oversharing access. joseabarreto wrote a useful blog about oversharing. create your custom report and educate your users about oversharing topic.

I will cover Copilot Framework and custom copilots topics in next blog

Happy Sharing!

Thursday, December 28, 2023

Securing SharePoint and Teams Integration with 3rd Party Applications using Microsoft Graph's Sites.Selected Delegated Permission in Enterprise Environment

In today's ever-evolving digital landscape, the need for seamless integration between Microsoft SharePoint, Microsoft Teams, and 3rd party applications has become paramount. This integration plays a vital role in fostering efficient collaboration and enhancing overall productivity. However, we cannot overlook the challenges that arise when it comes to ensuring the security and compliance of these integrations.

As the Microsoft 365 landscape continues to evolve, with the introduction of developments like Copilot and other AI tool, it has become even more crucial to address concerns such as oversharing and data security. In this blog, I aim to shed light on these pressing topics and provide valuable insights based on my own experiences.

With the availability of multiple options for implementing integrations and collaboration between 3rd party applications and Microsoft 365, it is essential to choose the best method for your specific implementation. By carefully considering the security and compliance aspects, we can ensure that our solutions not only meet our business needs but also adhere to industry standards and regulations

In this article, we will explore one of the possible ways to integrate 3rd party applications with Microsoft 365 using Graph API. Microsoft Graph is a single endpoint that provides access to data and services in the Microsoft cloud. It exposes REST APIs to access data on Microsoft 365 services like OneDrive, Outlook, SharePoint, Team, etc.

Undersetting about Authentication and authorization

Authentication and authorization are critical when it comes to calling Microsoft Graph. Your application should first generate an access token from the Microsoft identity platform. Access tokens will contain information allowing to validate the caller and to ensure that the caller has proper permissions to perform the operation requested. There are different types of permissions, including application and delegated, and you should choose the most suitable approach for your needs.

There are three methods to integrate with SharePoint using Graph API.

For all other scenarios and details, you can visit Graph documentation.

Comparison of delegated and application permissions

	Delegated permissions	Application permissions
Types of apps	Web app / Mobile / Single-page app (SPA)	Web / Daemon
Access context	Get access on behalf of a user	Get access without a user
Who can consent	Users can consent for their data Admins can consent for all users	Only admin can consent
Other names	Scopes OAuth2 permissions	App roles App-only permissions Direct access permissions
Result of consent	oAuth2PermissionGrant	appRoleAssignment
Supported signInAudience types Description Scenario Advantages	AzureADMyOrg AzureADMultipleOrgs AzureADandPersonalMicrosoftAccount PersonalMicrosoftAccount The app acts on behalf of the signed- in user and can access the same resources and perform the same operations as the user A web app that allows users to view and edit their own SharePoint documents The app can provide a personalized and interactive user experience. Data access only where user have permissions (ex, Delve or copiloit)	AzureADMyOrg AzureADMultipleOrgs AzureADandPersonalMicrosoftAccount The app acts on its own without a signed-in user and can access resources and perform operations based on the app roles A background service that performs automated tasks on SharePoint data he app can access data without user intervention and consent

Complete details https://learn.microsoft.com/en-us/graph/permissions-overview?tabs=http

Implementation Methods

Method 1: Tenant Level site collection access with Sites.readAll or readWriteAll

Sites.readAll or readWriteAll permissions. This method is not recommended as it grants highly privileged permissions to a service principal, meaning a service principal could literally read any site on your tenant. This approach poses a high risk of data leakage if the client ID and secret leak, as a hacker could read complete tenant data without knowing users and the organization.

Risk level: High

Method 2: Site Collection Level 'granular' Permissions -with Application

Sites.Selected with Application Graph Permissions. This method allows you to assign different permissions to apps based on the site collection they need to access. This way, you can reduce the attack surface and the risk of data leakage for the complete tenant while still enabling secure and seamless integration with third-party apps. However, this approach has a medium risk level as the Graph API application access means the app can access resources and perform operations without a signed-in user (app can access resources and perform operations without a signed-in user ). Technically, for any 3rd party integration, the customer should provide a client ID, secret or certificate with the 3rd party. So, the 3rd party application has full control over the particular site content, including encryption and strictly confidential data.

Risk level: Low Medium

Technical Implementation.

Microsoft graph now provides option to have granular permissions level using Sites.Selected application permission for the AD application instead of granting permission for all the sites in the tenant. The permission Sites.Selected does not provide access to any SharePoint site collections for the application unless the AD application has been assigned with permission roles read or write by an Admin. On this post let us see how to grant a site permission (Read or Write) to an AD Application with Sites.Selected permission by using postman client. For the full details Controlling app access on a specific SharePoint site collections is now available in Microsoft Graph - Microsoft 365 Developer Blog

Method 3 : Site Collection Level 'granular' Permissions -with Delegated

Sites.Selected with Delegated Graph Permissions (In Preview). This method works exactly the same as Method 2 but with delegated permissions. It means we can assign different permissions to apps based on the site collection they need to access with a delegated approach. This method provides enhanced security as it reduces the risk of data leakage and provides more control over data access.

Update : MS Document SharePoint now supports delegated Sites.Selected authentication (microsoft.com)

Risk level: Low

Technical Implementation.

To activate token authentication, you need to have an app registration. This document provides a detailed guide on how to activate token authentication and grant permission to an AD app in Azure Active Directory. It covers the steps involved in app registration, platform configuration, and granting admin consent. The document also includes information on using PnP PowerShell cmdlets to grant access to a SharePoint site and register an AD app. Follow this guide to learn how to set up token authentication and enhance the security of your application.

Create an App in Microsoft Entra

Within the app registration, you will find the topic "Authentication" in the Menu on the left side (under "Manage"):

At the very top you will find the platform configurations. Click on "Add a platform"

Choose the application platform (depends on the application. In my test I chose "Web"):

In the configuration tab, enter the respective infos (in my scenario the redirect URI for the authentication responses --> tokens) and also select, the types of tokens to allow (so access tokens, ID tokens or both). Hit Configure to submit.

Now you need to adopt the following link:

https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?client_id={app-id}&response_type=token&scope=https%3A//graph.microsoft.com/Sites.Selected

Note : Change the {tenant id} and the {app-id} with your tenant ID (can be found at the main page of Entra in the Azure portal) and your application ID (can be found on the main page of your app-registration).

Sample : https://login.microsoftonline.com/9d66ab4f-475c-4fd6-a9a0-2613da2f5833/oauth2/v2.0/authorize?client_id=f4b3d77b-8c0d-419b-ada0-ac97ffedc9d1&response_type=token&scope=https%3A//graph.microsoft.com/Sites.Selected

You will be prompted for the application permissions. Check if the application name is correct, then tick the box for "Consent on behalf opf your organization" and click "Accept".

We need to do the consent as global admin and activate the check box "Consent on behalf of your organization". The users will not see any consent prompt. while accessing application.

After providing admin consent, you can find your application in Enterprise applications section.

Quick test with Postman:

Grant Write permisisons to single site collection, to grant permissions, we have multiple ways, for short I used PNP method like menthid 2.

Grant the Role using PnP PowerShell:

There is a PnP PowerShell cmdlet to grant access to SharePoint site for the registered AD application with Sites.Selected permission. The command to grant permission can be executed by the Site Collection administrator after creating a connection to the site

Connect-PnPOnline https://Test.sharepoint.com/sites/test -Interactive

You will be prompted to enter credentials including the second factor. After the connection is created, enter the following command to grant Write permission to the AD App

Grant-PnPAzureADAppSitePermission -AppId 'AzureAppIdwithSitesdotselectedpermission' -DisplayName 'App Name here' -Site 'https://Test.sharepoint.com/sites/test ' -Permissions Write

for other methods, please refer Mohamed Blog

Once we grant permissions to single site collection,

Copy the access_token from the browser like below. if you want generate again new token, copy this command in your browser.

https://login.microsoftonline.com/9d66ab4f-475c-4fd6-a9a0-2613da2f5833/oauth2/v2.0/authorize?client_id=f4b3d77b-8c0d-419b-ada0-ac97ffedc9d1&response_type=token&scope=https%3A//graph.microsoft.com/Sites.Selected

Paste the access token on the token box as shown below with Authorization type selected as Bearer Token

Send the request for granting the role for APP 1. After the request is made the APP 1 with the Sites.Selected permission has access to the site with write role we have granted to. The same way you can assign app access to multiple SharePoint sites.

https://graph.microsoft.com/v1.0/sites/test.sharepoint.com:/sites/test

Reference :

https://learn.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=csharp

https://learn.microsoft.com/en-us/graph/permissions-overview?tabs=http

Conclusion:

In conclusion, integrating 3rd party applications with SharePoint using Graph API requires careful planning and consideration of security risks. By choosing the appropriate method and following the recommended steps, you can ensure that your sensitive data and resources remain secure and compliant.

Sunday, May 15, 2022

SharePoint Server Subscription Edition Installation with minimize expenses

I created my farm using the guide found on this page: SharePoint Server 2016 dev/test environment in Azure - SharePoint Server | Microsoft Docs

However, I did a bit of adjustment of the VM creation scripts to accommodate the following:

Using new versions of Windows Server, SQL Server and SharePoint Server which are aligned with new system requirements for SharePoint Server Subscription Edition

Windows Server 2022
SQL Server 2019
SharePoint Server Subscription Edition

Adjusting VM size based on my other test farm (SP2016+19) to minimize expenses

I also configured auto-power-off for all VMs so that they will be shut down automatically at 7PM if they are on (that is done in the Azure portal).

All of the four changed PowerShell segments are attached in the compressed zip file. The rest of the process stays the same like described in the document above.

Download Scripts: Scripts

Issue with exporting PowerApps solution In default environment

Issue:

We are facing issue while exporting a power apps solution from default environment "ABC". Error attached below.

Solution "ABC" failed to export: Principal with id e96d176f-3487-eb11-a812-000d3ab52d2a does not have ReadAccess right(s) for record with id 21b01452-9f7d-ec11-8d21-000d3a66509a of entity workflow. Details: {"CallerPrincipal":{"PrincipalId":"e96d-a812-000d3ab52d2a","Type":8,"IsUserPrincipal":true},"OwnerPrincipal":{"PrincipalId":"3ee8fac0-3687-eb11-a812-0d2a","Type":8,"IsUserPrincipal":true},"ObjectId":"21b01452-9f7d-ec11-8d21-000d3a66509a","ObjectTypeCode":4703,"EntityName":"workflow","ObjectBusinessUnitId":"7581668f-6f11-e911-a99d-000d3ab78b73","RightsToCheck":"ReadAccess","RoleAccessRights":"None","PoaAccessRights":"None","HsmAccessRights":"None","GrantedAccessRights":"None","Messages":["PrincipalHasOwnerPrincipalWithAtLeastBasicPrivilegeDepth = False","EntityUserGroupRights = None","MinimumPrivilegeDepthRequired = Local","SecLib::AccessCheckEx2 failed. Owner Data: User principal 3ee8fac0-3687-eb11-a812-000d3ab52d2a is not loaded in UserDataCache yet; Principal Data: roleCount=6, privilegeCount=1538, accessMode=0"],"EntityOwnershipTypeMask":1,"CallerInfo":{"IsSystemUser":false,"IsSupportUser":false,"IsAdministrator":false,"IsCustomizer

Resolution:

Based on the below error , it seems that the solution contains a flow not owned by user https://ABC.crm4.dynamics.com/api/data/v9.1/systemusers(e961-a812-000d3ab52d2a).

So based on information provided here: Security roles and privileges - Power Platform | Microsoft Docs, Local would be the minimum security role access level required for allowing to successfully export the solution