At Microsoft, our shift to a Zero Trust security model—which began more than seven years ago—has helped us navigate many challenges.

The increasing prevalence of cloud-based services, mobile computing, internet of things (IoT), and bring your own device (BYOD) in the workforce have changed the technology landscape for the modern enterprise. Security architectures that rely on network firewalls and virtual private networks (VPNs) to isolate and restrict access to corporate technology resources and services are no longer sufficient for a workforce that regularly requires access to applications and resources that exist beyond traditional corporate network boundaries.

The shift to the internet as the network of choice and the continuously evolving threats led us to adopt a Zero Trust security model internally here at Microsoft. Though our journey began many years ago, we expect that it will continue to evolve for years to come.

Carmichael Patton, a principal security architect at Microsoft, shares about the work that his team in the Chief Information Security Office (CISO) organization has been doing to support a Zero Trust security model.

The Zero Trust model

Based on the principle of verified trust—in order to trust, you must first verify—Zero Trust eliminates the inherent trust that is assumed inside the traditional corporate network. Zero Trust architecture reduces risk across all environments by establishing strong identity verification, validating device compliance prior to granting access, and ensuring least privilege access to only explicitly authorized resources.

Zero Trust requires that every transaction between systems (user identity, device, network, and applications) be validated and proven trustworthy before the transaction can occur. In an ideal Zero Trust environment, the following behaviors are required:

• Identities are validated and secure with phishing-resistant authentication (MFA) everywhere. Using phishing-resistant authentication eliminates password expirations and eventually will eliminate passwords. The added use of biometrics ensures strong authentication for user-backed identities.
• Devices are managed and validated as healthy. Device health validation is required. All device types and operating systems must meet a required minimum health state as a condition of access to any Microsoft resource.
• Telemetry is pervasive. Pervasive data and telemetry are used to understand the current security state, identify gaps in coverage, validate the impact of new controls, and correlate data across all applications and services in the environment. Robust and standardized auditing, monitoring, and telemetry capabilities are core requirements across users, devices, applications, services, and access patterns.
• Least privilege access is enforced. Limit access to only the applications, services, and infrastructure required to perform the job function. Access solutions that provide broad access to networks without segmentation or are scoped to specific resources, such as broad access VPN, must be eliminated.

Zero Trust scenarios

We have identified four core scenarios at Microsoft to help achieve Zero Trust. These scenarios satisfy the requirements for strong identity, enrollment in device management and device-health validation, alternative access for unmanaged devices, and validation of application health. The core scenarios are described here:

• Scenario 1: Applications and services have the mechanisms to validate multifactor authentication and device health.
• Scenario 2: Employees can enroll devices into a modern management system which guarantees the health of the device to control access to company resources.
• Scenario 3: Employees and business guests have a method to access corporate resources when not using a managed device.
• Scenario 4: Access to resources is limited to the minimum required—least privilege access—to perform a specified function.

Zero Trust scope and phases

We’re taking a structured approach toward Zero Trust, an effort that spans many technologies and organizations and requires investments that will carry over multiple years. The graphic below represents a high-level view of the Zero Trust goals—grouped into our core Zero Trust pillars—that we continually work toward.

While these goals don’t represent the full scope of the Zero Trust efforts and work streams, they capture the most significant areas of Zero Trust effort at Microsoft.

Pillars of the Microsoft Zero Trust model

Scope

Our initial scope for implementing Zero Trust focused on common corporate services used across our enterprise—our employees, partners, and vendors. Our Zero Trust implementation targeted the core set of applications that Microsoft employees use daily (e.g., Microsoft 365 apps, line-of-business apps) on platforms like iOS, Android, MacOS, Linux, and Windows. As we have progressed, our focus has expanded to include all applications used across Microsoft. Any corporate-owned or personal device that accesses company resources must be managed through our device management systems.

Verify identity

To begin enhancing security for the environment, we implemented MFA using smart cards to control administrative access to servers. We later expanded the multifactor authentication requirement to include all users accessing resources from outside the corporate network. The massive increase in mobile devices connecting to corporate resources pushed us to evolve our multifactor authentication system from physical smart cards to a phone-based challenge (phone-factor) and later into a more modern experience using the Microsoft Azure Authenticator application.

The next step in this area is the widespread deployment of Windows Hello for Business for biometric authentication. While Windows Hello hasn’t completely eliminated passwords in our environment, it has significantly reduced password usage and enabled us to remove our password-expiration policy. Additionally, multifactor authentication validation is required for all accounts, including guest accounts, when accessing Microsoft resources.

Our most recent efforts involve rolling out phishing-resistant authentication credentials through Passkey options in the Microsoft Authenticator app, with YUBIKeys as an option for limited-scale use cases. Additionally, all new employee onboarding is now run through a process for Passkey configuration, without the use of a password from day one.

Verify device

Our first step toward device verification was enrolling devices into a device-management system. We have since completed the rollout of device management for Windows, Mac, Linux, iOS, and Android. Many of our high-traffic applications and services, such as Microsoft 365 and VPN, enforce device health for user access.

Additionally, we’ve started using device management to enable proper device health validation, a foundational component that allows us to set and enforce health policies for devices accessing Microsoft resources. We’re using Windows Autopilot for device provisioning, which ensures that all new Windows devices delivered to employees are already enrolled in our modern device management system.

Devices accessing the corporate network must also be enrolled in the device-management system. This includes both Microsoft-owned devices and personal BYOD devices. If employees want to use their personal devices to access Microsoft resources, the devices must be enrolled and adhere to the same device-health policies that govern corporate-owned devices.

For devices where enrollment in device management isn’t an option, we’ve created a secure access model called Microsoft Azure Virtual Desktop. Virtual Desktop creates a session with a virtual machine that meets the device-management requirements. This allows individuals using unmanaged devices to securely access select Microsoft resources.

There is still work remaining within the verify device pillar. We’re in the process of maturing device management for Linux devices and expanding the number of applications enforcing device management to eventually include all applications and services. We’re expanding the number of resources available when connecting through the Virtual Desktop service. We’re also expanding to other devices, such as the Meta Quest headsets, conference room devices, and kiosks. Finally, we’re making device-health policies more robust and enabling validation across all applications and services.

Verify access

In the verify access pillar, we focused on segmenting users and devices across purpose-built networks, migrating all Microsoft employees to use the internet as the default network, and automatically routing users and devices to appropriate network segments. We successfully deployed several network segments, both for users and devices, including internet-default wired and wireless networks across all Microsoft buildings. All users received policy updates to their systems, thus making this internet-based network their new default.

As part of this network rollout, we deployed a device-registration portal. This portal allows users to self-identify, register, or modify devices to ensure that the devices connect to the appropriate network segment. Through this portal, users can register guest devices, user devices, and IoT devices.

We also created specialized segments, including purpose-built segments for the various IoT devices and scenarios used throughout the organization. We completed the migration of our highest-priority IoT devices in Microsoft offices into the appropriate segments.

Verify services

In the verify services pillar, our efforts center on enabling conditional access across all applications and services. To achieve full conditional access validation, a key effort requires modernizing legacy applications or implementing solutions for applications and services that can’t natively support conditional access systems. This has the added benefit of reducing the dependency on VPN and the corporate network.

Microsoft has adopted a hybrid workplace and a large percentage of our employees have transitioned to work from home. This shift has meant greatly increased use of remote network connectivity. Gradually, we have been able to successfully engage application owners in our plans to make applications and services accessible over the internet without VPN, and we’ve been able to transition 98% of our workloads to internet-facing services.

For those services that remain on-premises or are behind Azure Private Endpoints, we have enabled Azure VPN, which we’ve migrated from “always on” to manual access when a VPN is required. Our goal is to further reduce dependency on VPNs in order to restrict access to only required services, rather than the broader access that VPNs provide. We also further reduced the risk of lateral movement by implementing the Entra Secure Service Edge solution.  

Implementing Entra SSE allows us to provide secure tunnel access through Private Access and Internet Access for Microsoft Services. For Microsoft-specific SaaS solutions like Microsoft 365 and Microsoft Dynamics, the Internet Access for Microsoft Services gives us important functionality, including token protection and the ability to prevent man-in-the-middle (MitM) attacks.

We are also working on onboarding our on-premises and Private Endpoints through Private Access. In addition to helping deal with MitM attacks and token protection, this allows for direct service connections from the client to the service, without allowing broader access to other services that an employee should not have direct access to.

Zero Trust architecture with Microsoft services

The graphic below provides a simplified reference architecture for our approach to implementing Zero Trust. The primary components of this process are Intune for device management and device security policy configuration, Microsoft Entra Conditional Access for device health validation, and Microsoft Entra ID for user and device inventory.

The system works with Intune, by pushing device configuration requirements to the managed devices. The device then generates a statement of health, which is stored in Microsoft Entra ID. When the device user requests access to a resource, the device health state is verified as part of the authentication exchange with Microsoft Entra ID.

Microsoft Security Zero Trust access model

A transition that’s paying off

In our transition to a Zero Trust model, we continue to make consistent progress. Over the last several years, we’ve increased identity-authentication strength with expanded coverage of strong authentication, a transition to biometrics-based authentication by using Windows Hello for Business, and phishing-resistant credentials for all supported platforms. We’ve deployed device management and device-health validation capabilities across all major platforms. We’ve also launched a Windows Virtual Desktop system that provides secure access to company resources from unmanaged devices and is Zero Trust compliant by design.

As we continue our progress, we’re making ongoing investments in Zero Trust. We’re expanding health-validation capabilities across devices and applications, increasing the Virtual Desktop features to cover more use cases, and implementing better controls on our network. After reducing (and eliminating when possible) our dependencies on VPN, our next chapter is to migrate to a more modern secure tunnel per application.

Each enterprise that adopts Zero Trust will need to determine what approach best suits their unique environment. This includes balancing risk profiles with access methods, defining the scope for the implementation of Zero Trust in their environments, and determining what specific verifications they want to require for users to gain access to their company resources. In all of this, encouraging the organization-wide embrace of Zero Trust is critical to success, no matter where you decide to begin your transition.

Here are some tips for moving to a Zero Trust security model at your company:

• Collect telemetry and evaluate risks, then set goals.​
• Get to modern identity and MFA—then onboard to Microsoft Entra ID.​
• For conditional access enforcement, focus on your most-used applications to ensure maximum coverage.​
• Start with simple policies for device health enforcement, such as device lock or password complexity. ​
• Run pilots and ringed rollouts. Slow and steady wins the race. ​
• Migrate your users to the internet and monitor VPN traffic to understand internal dependencies.​
• Focus on the user experience, as it is critical to employee productivity and morale. Without adoption, your program won’t be successful.​
• Communication is key—bring your employees on the journey with you! ​
• Assign performance indicators and goals for all workstreams and elements, including employee sentiment. ​

Learn how your organization can protect and modernize with a shift to a Zero Trust strategy.

• Explore how we’re transitioning to modern access architecture with Zero Trust.
• Learn how we’re implementing strong user authentication with Windows Hello for Business internally at Microsoft.
• Read our Microsoft Security Zero Trust blogs.

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Implementing a Zero Trust security model at Microsoft appeared first on Inside Track Blog.

Deploying Windows Hello for Business internally here at Microsoft has significantly increased our security when our employees and vendors access our corporate resources. This feature offers a streamlined user sign-in experience—it replaces passwords with strong, phishing-resistant authentication by combining an enrolled device with a PIN or biometric user input for sign in.

Windows Hello was easy to implement within our existing identity infrastructure and is compatible for use within our remote access solution. We in Microsoft Digital, the company’s IT organization, streamlined the deployment of this feature as an enterprise credential to improve our user sign-in experience and to increase the security of accessing corporate resources.

Using this feature, users can authenticate to a Microsoft account, an Active Directory account, or a Microsoft Entra ID account (formerly known as a Microsoft Azure Active Directory account).

The Windows Hello for Business feature is a public key or certificate-based authentication approach that goes beyond passwords. This form of authentication relies on key pairs that can replace passwords and are resistant to breaches, thefts, and phishing.

Other benefits of this feature include:

• It supports our Zero Trust security model. Emphasizes an identity-driven security solution by centering on securing user identity with strong authentication as well as eliminating passwords.
• It uses existing infrastructure. We configured Windows Hello to support smart card-like scenarios by using a certificate-based deployment. Our security policies enforce secure access to corporate resources with phishing-resistant authentication, including smart cards and passkeys. Windows Hello biometric authentication is currently enabled, but optional for all users.
• It uses a PIN. Replace passwords with stronger authentication. Users can now sign in to a device using a PIN that is backed by a trusted platform module (TPM) chip.
• It provides easy certificate renewal. Certificate renewals automatically occur when a user signs in with their PIN before the lifetime threshold is reached.
• It permits a single sign-in. After users sign in with their PIN, they have access to email, SharePoint sites, Microsoft 365, and business applications without being asked for credentials again.
• It is compatible with remote access. When using Hello for Business, users can connect remotely using a Microsoft Digital VPN without the need for additional authentication.
• It supports Windows Hello. If users have compatible biometric hardware, they can set up biometrics sign-in to swipe their finger or take a quick look at the device camera. This is optional for all users.

Our deployment environment for the Windows Hello for Business feature includes:

• Server: Microsoft Entra ID subscription and Microsoft Entra Connect to extend on-premises directory to Entra ID
• For certificate enrollment: Active Directory Certificate Services (AD CS), Network Device Enrollment Service (NDES), and Microsoft Intune
• Client: Windows 10 or Windows 11 device with an initialized and owned TPM

For more information about integrating on-premises identities with Microsoft Entra ID, see What is hybrid identity with Microsoft Entra ID?

Enrollment and setup

Windows Hello for Business user enrollment steps vary, based on our deployed scenarios. For all scenarios, users will need to use another form of phishing-resistant authentication or a Temporary Access Pass to complete the enrollment.

The Windows Hello for Business feature supports the following enrollment scenarios:

• On-premises Active Directory hybrid domain–joined devices. Users sign in with their domain account, the device is registered with Entra ID and scoped for Intune management, Intune policies are delivered and then the user creates a PIN.
• Entra ID–joined devices managed by Microsoft Intune. Users must enroll in device management through Microsoft Intune. After their device is enrolled and the policies are applied, the PIN credential provisioning process begins, and users receive the prompt to create their PIN.

Requirements

• Phishing-resistant authentication is required for PIN creation using one of the existing methods: smart card, passkey, or TAP (Temporary Access Pass).
• A PIN that has at least six characters.
• A connection to the internet or Microsoft corporate network.

Physical architecture

Our Windows hybrid domain–joined devices were already synchronized with Entra ID through Microsoft Entra Connect, and we already had a public key infrastructure (PKI) in place. Already having a PKI reduced the amount of change required in our environment to enable the Windows Hello for Business feature.

To deploy user certificates based on Windows Hello keys, we used Intune, NDES, and AD CS.

Server roles and services

In our implementation, the following servers and roles worked together to enable Windows Hello as a corporate credential:

• Entra ID subscription with Microsoft Entra Device Registration Service to register devices with Entra ID.
• Intune is used to manage Hello for Business policies for all enrolled devices.
• PKI includes NDES servers (with Certificate Connector for Microsoft Intune) and certificate authorities (with smart card EKU—enhanced key usage—template), used for the issuance, renewal, and revocation of Windows Hello for Business certificates.

Hybrid domain–joined service workflow

The following workflow applies to any Windows 10 of Windows 11 computers joined to our AD DS domain.

• Our hybrid domain–joined devices are automatically registered with Entra ID via a group policy and enrolled in Intune management.
• Intune Policies—including Hello enablement, configuration, and NDES information—are delivered to the device.
• During the next sign-in, the user is prompted to configure Windows Hello for Business, confirm their identity using phishing-resistant authentication, and create a PIN. A private key is created and registered in Entra ID. The user can also initiate the Windows Hello setup process from the Settings app at any time.

• On the next Intune sync, the device contacts the internet-facing NDES server using the URL from the Intune policy and provides the challenge response. The NDES server validates the challenge with the Certificate Connector for Microsoft Intune and receives a “true” or “false” to challenge verification.
  • If the challenge response is “true,” the NDES server communicates with the certificate authority (CA) to get a certificate for the device. Appropriate ports need to be open between the NDES server and the CA for this to happen.
• The NDES server delivers the certificate to the computer.

Entra ID–joined service workflow

• On device join, Intune pushes a device policy to Microsoft Entra ID devices that contains the Windows Hello for Business policies as well as the URL of the NDES server and the challenge generated by Intune.
• During the device join flow, the user is prompted to configure Hello for Business, confirm their identity using phishing-resistant authentication, and create a PIN. A private key is created and registered in Entra ID. The user can also initiate the Windows Hello setup process from the Settings app at any time.
• On the next Intune sync, the device contacts the internet-facing NDES server using the URL from the Intune policy and provides the challenge response. The NDES server validates the challenge with the Certificate Connector for Microsoft Intune and receives a “true” or “false” to challenge verification.
  • If the challenge response is “true,” the NDES server communicates with the certificate authority (CA) to get a certificate for the device. Appropriate ports need to be open between the NDES server and the CA for this to happen.
• The NDES server delivers the certificate to the computer.

Setting policies

Windows Hello for Business policies for both hybrid domain–joined and Entra ID–joined Windows 10 and Windows 11 devices are managed by Intune. We also use these policies to define the complexity and length of the PIN that our users generate at registration and to control whether Windows Hello was enabled.

We chose to enable Hello for Business with a hardware-required option, which means that keys are generated on the TPM. Additionally, we chose to issue a certificate to all Hello for Business credentials to enhance the usability of the credential throughout the corporate infrastructure.

Policy management

We set the Windows Hello for Business policy settings with Intune in two different places. First, setting them via the Tenant Policy ensures that the policies are delivered during the device-enrollment flow. The Tenant Settings can be found in Microsoft Intune Manager Admin Center under Devices > Windows > Windows Enrollment > Windows Hello for Business. However, Tenant Polices are only delivered one time on device join.

We also configure the settings using the Intune Settings Catalog to ensure that they are continuously enforced on all devices. This allows us to update the policies on devices that are already joined. In these policies, we have configured the following options:

• Enable Windows Hello for Business
• Require use of a Trusted Platform Module (TPM)
• Allow biometric authentication
• PIN complexity:
  • Minimum length: 6 characters
  • Allow uppercase letters
  • Allow lowercase letters
  • Allow special characters

For more details on these policy configuration options, check out our documentation page on the Microsoft Learn site.

To enable the Windows Hello for Business certificate issuance, configure the certificate profile (Assets & Compliance > Compliance Settings > Company Resource Access > Certificate Profiles). Select a template that has smart card sign-in extended key usage. Note that to set the minimum key size set, this certificate template should be configured in the Simple Certificate Enrollment Protocol (SCEP) Enrollment page; then you can use the Windows Hello for Business and Certificate Properties page to set the minimum key size set to 2048.

User enrollment experience

All Windows 10 and Windows 11 devices in the Microsoft environment receive the Windows Hello for Business policies from Intune. For hybrid domain–joined devices, these policies are delivered after device registration with the Entra ID tenant. For Entra ID–joined devices, the policies are delivered as part of the device join flow.

PIN creation

On hybrid domain–joined devices, the user is prompted to create their Hello for Business PIN when they unlock or log into the device after the policy settings are applied and the prerequisites, such as TPM availability and state, are met.

Entra ID–joined devices prompt the user to create their Hello for Business PIN during the device join workflow, assuming that the device meets all of the prerequisites.

Certificate enrollment process

After a PIN is successfully created, a certificate is automatically requested on behalf of the user during the next Intune policy sync operation.

Certificate renewal behavior

We have configured PIN credential certificates to have a lifetime of 90 days from when they are issued. Renewals will happen approximately 30 days before they expire. When a user enters their Windows Hello for Business PIN within the 30 days prior to its expiration, a new certificate will be automatically provisioned on their device.

Certificate renewal is governed by Intune policies. The system checks for certificate lifetime percentage and compares it against the renewal threshold. If it’s beyond the set threshold, a certificate renewal starts.

Service management

We manage identity as a service at Microsoft and are responsible for deciding when to bring in new types of credentials and when to phase out others. When we were considering adding the Windows Hello for Business feature, we had to figure out how to introduce the new credential to our users, and to explain to them why they should use it.

Measuring service health

We’re in the process of creating end-to-end signals to measure the service health of Windows Hello for Business. For now, we’re monitoring the performance and status of all our servers. We’re also expanding the service, so adoption and usage numbers are very important metrics that demonstrate the success of our service. We also track the number and types of help desk issues that we see.

We use custom reports created from certificate servers and custom service metrics to collect prerequisites, and key and certificate issuance times for troubleshooting. Detailed reports about other aspects of the service can also be generated from Intune.

We configure a user’s certificate to expire, and certificate renewals are issued with the same key. When necessary, the certificates can be revoked directly through Intune, which provides easier administration. Additionally, certificates are automatically revoked by the Intune service when a user or device is de-provisioned from the environment.

Here are some tips for getting started with Windows Hello for Business at your company:

• OEM BIOS initialization instructions and TPM lockout policies are OEM-specific. We performed steps to identify and document the potential issues for each hardware provider. We also communicated to our users that clearing a TPM will cause their private key to not work in Windows Hello for Business.
• Some of the common issues we saw with users creating their PINs could have been avoided with better communication. These issues include users not understanding the prerequisites, or the expected delays in onboarding scenarios. To help avoid this issue, we created a productivity guide to walk users through the steps.
• Windows Hello for Business relies on several underlying services: Entra ID, Intune, NDES, and AD CS. All of these services need to be healthy and available.
• Certificate issuance delays can be hard to troubleshoot, but monitoring the health and performance of the supporting services can help.

Explore Windows Hello for Business.

• Learn about verifying identity in a Zero Trust model internally at Microsoft.
• Read about phishing-resistant authentication in Microsoft Entra ID.
• Discover enabling a modern support experience at Microsoft.
• Explore improving security by protecting elevated-privilege accounts at Microsoft.
• Unpack hybrid identity with Microsoft Entra ID.  

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Implementing strong user authentication with Windows Hello for Business appeared first on Inside Track Blog.

At Microsoft we’ve taken a page from the auto industry and have adopted a process called Kanban. Kanban (pronounced “con-bon”) is a Japanese word meaning “signboard” or “billboard.” It was first developed by a Toyota engineer decades ago to improve manufacturing efficiency.

Today, we’re using Kanban to drive improvement and streamline workflows within some of our engineering teams. The process shows great potential to encourage innovation and increase engineering excellence.

In its simplest form, Kanban involves creating a set of cards that track manufacturing or other step-by-step processes. These cards, tacked to a corkboard, can be used to highlight trouble spots and avoid overcapacity. That latter quality helps Kanban users resist loading up a job with too many side tasks.

“I learned about Kanban when I was in the Marine Corps,” says Ronald Klemz, a senior software engineer manager on our Microsoft Commerce and Ecosystems team. “When I joined Microsoft, I could see how it applied to software engineering.”

Less meetings, more flexibility

Although Kanban has gradually grown in popularity at Microsoft, many engineers still rely on the scrum development framework (part of the agile software development methodology). Scrums consist of regular planning meetings, followed by two-week to month-long sprints that are designed to complete a particular stage of work.

While plenty of good work has come out of scrums and agile, they are not always ideal for driving engineering improvement. The regular scrum meetings can be time-consuming; even though they are designed to break big jobs into manageable pieces, teams can still become overwhelmed if customers add new requirements on the fly.

“At the start of each two-week scrum cycle, you’re expected to know everything that you’re going to do in those two weeks,” says Snigdha Bora, an engineering lead with Microsoft Digital, the company’s IT organization. “But there are things that will happen in those two weeks that you can’t know in advance. All of that goes away with Kanban, because it has no artificial boundaries or time limitations.”

Klemz agrees.

“We’d spend so much time in meetings, planning and replanning to ensure our commitments were falling in the sprint window,” Klemz says. “That would result in large work items sitting in the Active column for days or weeks, making it really difficult to visualize the state of the work. To reduce the meeting load and free up our engineers, we decided to give Kanban a try—and we’ve never looked back.”

Balancing workloads and resources

Whether built with simple paper materials or using more sophisticated software versions, a Kanban board shows rows of cards arranged in columns that represent stages of a project’s workflow. Each card contains a specific task and who is responsible for it.

One of Kanban’s most valuable aspects is that each column is designed to self-limit work in progress. If an extra card is added that exceeds the agreed upon limit of tasks, the column heading might light up red, indicating a possible bottleneck that could delay work.

“It helps to simplify the workflow, so people aren’t getting hit with all kinds of sudden, ad hoc projects,” Klemz says. “They’re able to focus on the agreed-upon workflow.”

Kanban also helps engineers easily shift gears as priorities change and challenges arise.

“Kanban really helps us have the flexibility to tackle urgent work without entirely disrupting the state of our planning cycle,” Klemz says. “When you have a small team responsible for many downstream systems, there are bound to be unknowns that surface and suddenly become top priority. By leveraging Kanban, we’re able to break our work into smaller tasks, so that an engineer can switch projects to focus on an urgent issue.”

Virtual Kanban board at Microsoft

That last point underscores another advantage of how Kanban drives engineering improvement at Microsoft: Its visual nature makes it easy for someone who is a newcomer to a team, has been on vacation, or is a part-timer to look at the Kanban board and immediately see what needs to be done.

“With a Kanban board, an employee can pick up any unassigned task without having to consult the project manager on the priority,” Bora says. “This is much easier and more efficient.”

This feature is especially helpful as more Microsoft engineers are working remotely in today’s increasingly hybrid workforce, frequently across various time zones. By checking the Kanban boards, many of which are created with Microsoft Azure DevOps, they can quickly grasp the status of a project at any time.

Enabling greater collaboration and transparency

The Microsoft Commerce and Ecosystem team owns the tools, processes, and controls to ensure that Microsoft’s preferred suppliers and partners are paid in a timely way once invoices are approved. They also ensure that tax and other statutory laws are followed globally, provide tax and statutory compliance information, and report payments to the Internal Revenue Service.

Those multiple workflows often led to siloed work, with different members of the team unaware of what co-workers were doing, or how their work affected others.

Kanban has helped the team create a more collaborative work environment while still giving engineers plenty of freedom for innovation, which has positively impacted both business needs and the customer experience.

“It’s an effective approach to delivering software iteratively,” Bora says. “It brings so much transparency for the team by providing better visualization to track progress.”

The increased agility plays well with Microsoft customers, who have become accustomed to rapid and seamless product improvements. The same goes for internal business changes, such as the expansion of Microsoft Azure and data center launches and announcements.

According to team leaders, Kanban allows them to quickly respond to these strategic shifts, enabling real-time transparency and close tracking of OKRs (Objectives and Key Results). The Kanban dashboards also allow them to more easily give global stakeholders insight into project progress, which builds stronger trust among all parties.

Kanban also helps the organization more effectively manage global statutory laws and compliance processes, which can change rapidly (including predefined timelines that in most cases are non-negotiable).

Adopting Kanban continues to be a learning process for Microsoft engineers, and the discipline is gradually becoming more widely accepted in the tech industry. It shows great potential for making software development faster and more trouble-free, while helping teams work together more flexibly and effectively.

Here are some of the advantages that Kanban can bring to help improve workflow processes at your organization:

• It elevates flexibility over rigid frameworks. Unlike scrums, Kanban doesn’t enforce strict timeboxes (like sprints). This flexibility helps teams adapt to unexpected changes and evolving requirements without disruption.
• Visual workflow = instant clarity. Kanban’s visual boards help engineers and stakeholders easily see the state of work at any time. This is especially useful for remote, hybrid, or globally distributed teams.
• The work-in-progress limits prevent bottlenecks. The columns on a Kanban board can be set to limit the number of active tasks. This helps teams stay focused, avoid burnout, and reduce delays in the workflow.
• It enables better collaboration and reduces siloed work. Kanban promotes shared visibility and team-wide alignment while eliminating siloed efforts, ensuring that everyone is moving toward common business outcomes.
• It increases agility at scale. Kanban has helped Microsoft adjust to increasingly faster business cycles, supporting major product rollouts, organizational changes, and statutory compliance across global markets with speed and confidence.

Sign up for Azure Boards, a web-based service that enables teams to plan and track their work across the entire development process.

• Learn more about using Kanban boards with Microsoft Azure DevOps.
• How to add a Kanban board in Microsoft Teams.
• Four ways to create Kanban boards in Microsoft 365.

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Deploying Kanban at Microsoft leads to engineering excellence appeared first on Inside Track Blog.

Like many global companies, our network engineering environment here at Microsoft is gigantic.

It spans 88 countries, more than 700 buildings, 64,000 devices, 7,500 Microsoft Azure Virtual Networks, and nearly 150 lab sites. It’s a system that serves more than 220,000 employees and generates its fair share of service tickets, more than 170,000 per year.

How do you keep something of that size healthy?

Joshua Green and Soundarya Tekkalakota wondered if their team in Microsoft Digital, the company’s IT organization, could build an AI agent with Microsoft 365 Copilot to help accomplish this goal. Green, an Infrastructure and Engineering Services (IES) principal software engineering manager, and Tekkalakota, an IES product manager, quickly realized that the answer was a resounding yes, if they sprinkled in a helping of artificial intelligence and machine learning.

“We essentially put an AI lens on the network engineering challenges that already existed, and that our engineering teams have been dealing with for years,” says Tekkalakota, who served as lead product manager on the effort. “We decided to use AI to enable faster gathering of information and data insights, and to identify network problems more quickly and efficiently—this would give our network engineers more time to take the human actions needed to resolve issues.”

That kicked off their AI journey, in which they and their team built a custom engine agent before eventually using the extensibility capabilities of Microsoft 365 Copilot to create a declarative AI agent. The result is Network Copilot (also known as Network Infrastructure Copilot, or “NiC”), a powerful tool that provides support for various networking and infrastructure-management tasks and helps us work toward our goal of operating the industry’s most secure and reliable enterprise network.  

Importantly, Network Copilot is another proof point in our ongoing journey to show how we’re benefitting from Microsoft 365 Copilot internally here at Microsoft. Read this story to learn how we’re thinking about AI agents internally at Microsoft and to get our guidance on how to get started with them at your company.

The spark of inspiration

Network Copilot originated in a hackathon project in early 2023, inspired by the excitement at that time around generative AI and ChatGPT. Tekkalakota pulled together a small group of AI enthusiasts and launched the effort to develop a tool that would be able to simplify network management tasks.

“These were network engineers who were at that intersection of new tech enthusiasts and experts in their particular job,” Tekkalakota says. “We leaned on them heavily in the first few iterations of the project, collecting their feedback manually on what the right queries were. And as time went on, we kept adding more and more of these enthusiastic users to help us build the community, and to test the tool and gather feedback.”

On the engineering side, the project started out with a custom-agent approach, reflecting the available technology at that point in time.

“We went with a conversational agent built on Semantic Kernel and Azure OpenAI, because that was the only option at the time,” Green says. “Over time, we switched to a declarative-agent model based on the Microsoft 365 Copilot capabilities that were being released. In a sense, Network Copilot is the story of how fast AI technology is progressing, and how it’s becoming faster and easier to develop these kinds of tools.”

Improving network services with Network Copilot

Generative AI tools excel at one of the biggest challenges that network engineers face in their day-to-day work: how to quickly track down the specific information needed to resolve a network issue.

“There’s something like five to eight different steps in the network management workflow, and many of them have a manual component,” Tekkalakota says. “Network engineers drill through siloed documents like wikis and troubleshooting guides, data sources such as infrastructure data lake and incident management (IcM), and more to define data insights and documentation. We wanted to make this search faster and easier for these engineers.”

The answer was Network Copilot, an AI chat interface in which engineers can use natural-language queries to gain insights and determine recommended actions without leaving the flow of their work process.

“It’s a great solution because it keeps them in the context of their current work,” Tekkalakota says. “They don’t have to step out of the network lifecycle management task that they’re currently in to find answers. It gives them the next step in a concise, summarized manner—something that they would have to spend multiple hours tracking down outside of their context.”

The use of natural language to access network telemetry in real time is one example that Green cites when talking about how Network Copilot is transforming the way that engineers do their job.

“I can ask NiC, ‘What’s the network health of Building 32?’ and it will run a query against the network telemetry data,” he says. “Then it summarizes the results in a nice, clean report for the user, including details on risks and recommendations for that building’s network. Then the engineer can take the appropriate action.”

Transforming network engineering with a Copilot agent

Network Copilot development journey

The initial development of Network Copilot as a custom agent meant it relied on plug-ins to give it more flexibility.

“We first built NiC in a very modular way, and all its capabilities were done with plug-ins and APIs,” Green says. “For example, we provided a library of more than 1,000 queries, which were written by the teams that know the data best (like the wireless team, which wrote queries to check the health of wireless access points). So, when Copilot is able to access that data, it can stand toe-to-toe with the network engineers because it’s able to draw on that same knowledge base.”

Then, when declarative agents were released in 2024, the development strategy shifted to take advantage of these faster, less code-heavy solutions.

“One of the things we’re always trying to do at Microsoft is provide low-code and no-code options,” Green says. “That’s what Microsoft 365 Copilot is focused on. Or you can go with full-code development, do it all yourself and have ultimate control and customization. Our journey with NiC was kind of a hybrid approach. We’re still on the journey from full code to low code; we’re not there yet.”

Overcoming the challenges of AI tool adoption

As Green, Tekkalakota and the team began rolling out Network Copilot to larger and larger groups of network engineers, they began running into some of the challenges inherent in widespread AI tool adoption.

“The first thing was just the cultural change of our engineers building the daily habit of using the tool, because it’s not always top of mind for them,” Tekkalakota says. “It’s the stickiness factor, and that’s something we’re still working on. The other challenge was what we came to call ‘prompter’s block,’ where the engineers weren’t sure what to ask in the NiC chat, or they wouldn’t keep querying to get better results. So, we put out newsletters and did road shows to educate them on the tool and how to use it. It’s more about a larger cultural shift.”

One major takeaway from this process was that users wanted more integrated and one-click solutions for interacting with Network Copilot.

“Some of it might be contextual, where we’re able to integrate NiC on a specific tab or page or in a specific web application,” Green says. “In some cases, it could be in the form of a button they click that sends a pre-created prompt to the back end. It’s a more simplified approach, rather than just giving people a free-range chat interface where they can ask anything.”

The impact of Network Copilot

Today, Network Copilot is available to our company’s network professionals through an internal preview and is used by more than 200 network engineers. By surveying users, Tekkalakota has already been able to show that NiC has made a significant difference in terms of employee time and effort.

“We’ve found that NiC can cut the amount of time engineers take searching for documentation and insights by 20 to 25 minutes for each successful prompt,” she says. “It also drastically reduces documentation time and has cut live incidents down by 10%.”

This finding is backed up by employees such as Brandon Hughes, a senior service engineer who played an important role in developing Network Copilot.

“Being able to extract data through natural-language questions is a huge departure from having to manually write a Kusto query, which could take you a few hours to refine in order to get the exact output that you want,” Hughes says. “Whereas in NiC, I can spend five minutes questioning it like a human and get a response that includes specific data points from the actual databases. We get a huge amount of value from Network Copilot on a day-to-day basis.”

Hughes and others are also working on extending the capabilities of Network Copilot to handle tasks such as generating customer update emails, troubleshooting suggestions based on service ticket details, and postmortem report generation. They even hope to add the ability for NiC to analyze images of network environments and provide feedback and optimization suggestions.

Taking a wider view, agents like Network Copilot offer the ability to manage complexity and empower users to accomplish more, no matter their role.

“In general, these agents are going to make our lives easier,” says Abhishek Kumar, a software engineer who also assisted in the development of Network Copilot. “We’re always working to reduce complexity, and agents take that a step further—decreasing complexity where it’s needed but allowing the full breadth of complexity when required. They’re enabling users to do things they normally wouldn’t be able to do.”

Network Copilot and AI agents: The journey continues

Tekkalakota and Green know that, for as much as Network Copilot can do now, the team has only just scratched the surface of the full potential that AI agents have to change the way IT—and the world—works.

“I think we’re one of the earlier efforts at Microsoft to build an AI agent, figuring out what skills it needs to have and then building them,” Tekkalakota says. “The next steps are to build on the agent capabilities that it already has, adding things like monitoring or predictive alerting. Then, eventually be able to connect to other agents; having a connected experience between Copilot agents is the uber goal.”

Green emphasizes that when it comes to AI, the pace of change is remarkable.

“It’s still early days for AI agents, and things are moving and changing extremely quickly,” Green says. “What we did with Network Copilot was kind of like building a foundation. Now we’re working on adding more capabilities. The potential is great—we’re just seeing the tip of the iceberg.”

We learned some important lessons while developing Network Copilot that you can draw on when creating your own AI agent solutions, including:

• The team found it most effective to slowly build a community of enthusiastic users, continually soliciting feedback and ideas for improvements from these early adopters.
• Users expect an AI agent to “just work” with one prompt. Query debugging features (“Help me with this error”) and contextual prompts encourage users to engage in a conversation to generate the information they need.
• Users want the AI agent to know everything that their team knows. The Network Copilot team continues to expand the tool’s knowledge base with additional troubleshooting documents, network config files, and data sources
• It’s helpful if the agent is accessible from the UI the users are already in, so the team is working on an embedded Network Copilot experience in their custom web apps that offers buttons for commonly used functions.
• Frequently requested use cases for Network Copilot include network device deployment failure remediation, network health and inventory, troubleshooting, and log monitoring for anomalies.
• Technology moves fast. The team built Network Copilot in a modularized way (using plug-ins and APIs) so that they could adjust to the latest AI capabilities as they were released.
• Follow best practices for accessing data from external sources, ensuring that your data is secure and sensitive information isn’t exposed.

Explore your extensibility options with Microsoft 365 Copilot.

• AI-powered agents in action: How we’re embracing this new ‘agentic’ moment at Microsoft
• Boosting our Security First Initiative at Microsoft with a transformed approach to wired network security
• Check out how we’re moving our network to the cloud with Azure.
• Learn we’re unlocking the power of AI with Microsoft 365 Copilot extensibility.
• Read our guide for deploying Microsoft 365 Copilot at your company. 

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Keeping our network infrastructure healthy at Microsoft with an employee-built AI agent appeared first on Inside Track Blog.

Brian Shaw has been a Microsoft 365 Copilot enthusiast since the company first launched the generative AI solution in February 2023. But with AI tools evolving rapidly, he knew it would be a challenge to keep up with the latest changes and feature releases.

The most effective way he found to do that? Share his knowledge with other employees.

“One of the best ways to learn something is to train others,” says Shaw, a 17-year Microsoft veteran who currently works as a principal customer success account manager on the Retail and Consumer Goods team. “Every time I’ve trained a group on Power BI, I’ve learned something. It’s the same with Copilot. Someone asks a question—I have to figure out the answer. It keeps my skillset sharp and allows me to keep my technical focus.”

That passion for training and enthusiasm for the ways that Copilot can make everyone’s job easier explains why Shaw stepped up to be one of the first Copilot Champs at Microsoft—and why he remains one of the most dedicated evangelists for the technology solution at the company.

“I’m always finding new ways that Copilot can save you time,” he says. “And the great thing about that is that you can redirect that time to have more impact, whether that’s with a customer, in another aspect of your work, or with your community. It really helps magnify what you can accomplish.”

Customer Zero focus

Microsoft Digital, the company’s IT organization, puts a strong emphasis on Customer Zero: the idea that our employees—early adopters and consistent users of the latest Microsoft software tools and processes—should share their experiences with others, including our customers. It’s an idea that Shaw embraces wholeheartedly.

“If we as employees aren’t successful using Copilot, no one’s going to be successful,” Shaw says. “I’ve always heard that if Copilot helps you save 20 minutes a week for six straight weeks, you’ll be hooked. I want everyone to see those benefits, so that’s why I’m always encouraging people to get in the habit of using Copilot every day.”

One example Shaw cites is the way he uses Microsoft 365 Copilot to help him reduce his work email burden.

“I get up to 200 emails a day just from customer support cases, which can be difficult to keep up with,” he says. “So, I ask people to @mention me in the email. Then I can ask Copilot to go through all the emails where I’ve been @mentioned and tell me the subject line, who sent it, the date and time, and what task I need to complete. This allows me to get caught up very quickly and understand what my next actions are.”

On the leading edge

Shaw’s excitement in sharing his knowledge of Microsoft 365 Copilot comes directly from his passion for technology, according to those who work with him.

“Brian is an early adopter and a technologist at heart,” says Rod Combs, a leader in the Customer Success unit for Microsoft’s Eastern U.S. region. “He loves to learn and to be one of the first to master something. So, when Copilot first came along, Brian was in there messing around with it, trying to understand its capabilities and get the most out of it. From there, he’s continued to lead and drive engagement with Copilot across Microsoft.”

One of Shaw’s key principles when approaching any training session is to strive to explain technical points as simply as possible.

“I try to demystify Copilot for people,” he says. “For example, people often ask me, ‘Why are there so many Copilots?’ and I explain that there are basically three types of Copilot: a tools-based Copilot, an application-specific Copilot—like in Word or Outlook—and Copilot Chat, like the one you see at copilot.microsoft.com.”

Jody Ryan, director of Copilot Sales and Compete in Customer Health and Growth at Microsoft, agrees that Shaw’s ability to simplify things sets him apart.

“He really makes Copilot accessible for everyone to understand, just by the way he presents it,” she says. “Brian has a way of explaining things in a non-technical way so that everyone can grasp it, across all skill levels. I think that’s a key strength.”

A customer-centric mentality

Another reason Shaw is so successful at helping fellow employees get the most out of Microsoft 365 Copilot is his “day job” as a customer success account manager (CSAM), which relies on some of the same strengths. It’s a parallel that Cadie Kneip has observed in her role as a leader of the Copilot Champs community.

“There’s something unique about the combination of skills that CSAMs have, of being very technical but able to deliver technical trainings in a way that lands a customer,” says Kneip, a readiness business program manager in Microsoft Digital tasked with finding creative ways to get more Microsoft employees using Copilot in their day-to-day work. “It tends to be very friendly and personable. I see that with Brian, who is very generous with his time to demo Copilot to so many fellow employees. I don’t know the exact number, but he’s completed more than 500 activities to help his peers learn Copilot.”

Yen Anderson, a fellow CSAM at Microsoft and another enthusiastic Copilot Champ, recognizes the skills and passion that Shaw brings to his Copilot advocacy.

“Brian really has knack for instructional training and is masterful at walking people through a tool’s features and functionality,” she says. “He goes out of his way to amplify his impact and upskill the learning community at scale.”

Going global with Camp Copilot

Observing Shaw’s enthusiasm for Copilot trainings, Kneip invited Shaw to be part of Camp Copilot. The internal Microsoft event, held over three weeks in the summer of 2024, attracted 25,000 participants from around the world, all interested in learning more about how Microsoft 365 Copilot can enhance their work and magnify their impact.

“I ended up being one of main presenters in Camp Copilot,” Shaw says. “Over my four sessions, we had more than 5,800 people attending and listening in. It was a lot of fun. And of course, I had a lot of people follow up with me and ask me to do a presentation to their team or group, sometimes for multiple sessions. I would never have had that opportunity if it wasn’t for Camp Copilot.”

Looking to what’s next

Always looking to the future, Shaw can’t wait to be a part of the next wave of features that Microsoft 365 Copilot releases.

“I like to say that the Copilot you’re using today is the dumbest Copilot you’ll ever use, because it’s constantly getting upgrades, getting smarter,” he says. “As it starts learning more about you and the things you work on every day, it’s going to give you better and better information.”

He cites the progression of Copilot in Excel as one example.

“When Excel Copilot first came out, it did maybe three things and I don’t think people were very excited,” he says. “But now that they’ve integrated Python into it, it can write code, create custom visuals, link multiple files and tables together, and more. It’s turned into a real tool that people who use Excel everyday are just going to absolutely love, because it will save them a ton of time.”

Shaw’s also looking forward to the imminent introduction of automated agents with Microsoft 365 Copilot extensibility, which will bring even greater productivity enhancements.

“Soon, we’ll have agents where you can say, ‘Hey, create a Help Desk ticket on this issue’ and it just goes out and does it, and returns with, ‘Your ticket’s been opened, and here’s the link to it,’” Shaw says. “Having Copilot agents do that kind of thing is going to save people a significant amount of time and effort.”

In the meantime, Shaw will continue to keep teaching others about Copilot, which will help him stay ahead of the curve with a technology that he believes is changing the world.

“I’m always working to keep up with the roadmap, which is a large ask, but it’s also fun,” he says. “With Copilot, we’ll eventually have one central tool that can do everything—the future is going to be incredible. I can’t wait to see what the journey holds.”

Here are Shaw’s top tips and insights for using Microsoft 365 Copilot:

• Let Copilot teach you how to use it. Copilot is one of the few tools that will tell you how to use it. For example, if you are unsure what you can accomplish with Copilot in Word, just say, “Hey Copilot, I’m new here. What are all the things you can do?” and it will tell you.
• Use Copilot as an interactive conversation engine. Don’t think of Copilot as a search engine, where you type in one query and then page through the results. Instead, carry on a conversation with Copilot. Keep asking it questions until you have the information you need.
• Ask Copilot to analyze your meeting while it’s happening. For example, if you’re in a Teams call with a customer, at any point you can ask Copilot, “Are there any questions that the customer asked that I haven’t answered yet?” Copilot will search the transcript and see if there’s anything that got skipped over; then you can go back and address those issues.
• Treat Copilot like you would a new intern. You need to give Copilot the context it needs to produce valuable results. If you want the information in a table, tell it to make a table, including what information should be included and how it should be displayed. Give it specific instructions and you’ll have a much better chance of getting the output you want.
• Use Copilot to catch things you might have missed. Copilot can do sentiment analysis to detect when a customer or team member is concerned or upset. It can also help you if you’re distracted during a call. Just ask Copilot, “Hey, can you summarize the last five minutes?” That way you don’t have to interrupt the call and ask, “Can you please repeat that?”

• Try Microsoft 365 Copilot.
• Make a difference. Become a Champion.

• Check out this story that explains how our Microsoft 365 Copilot Champs program works. 
• Read our profile on Copilot Champ Yen Anderson.
• Here is where to go to get started with Microsoft 365 Copilot.
• Read our guide for deploying Microsoft 365 Copilot at your company.
• Learn how we’re tackling Microsoft 365 Copilot governance internally at Microsoft.

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Staying ahead of the AI curve with Microsoft 365 Copilot: How a champion does it appeared first on Inside Track Blog.

Yen Anderson remembers the first time she saw Microsoft 365 Copilot, the generative AI tool that the company launched in February 2023. She intuitively knew that the way she went about her job would never be the same.

“I realized I’d need to make significant changes in my work habits, and to start thinking with a different mindset in order to embrace AI,” says Anderson, a senior customer success account manager for Azure and AI. “So, I started to revamp the way I worked.”

She also immediately began to share her excitement about this powerful new virtual companion with her peers.

“By the second day after receiving Copilot, I was already demoing it to my internal team,” she says.

Helping her peers use the power of Microsoft 365 Copilot

Today, less than two years later, Anderson is one of the leading internal evangelists for Copilot at Microsoft. She has presented her tips and insights on how to get the most out of Copilot for dozens of internal teams, town halls, conferences and other Microsoft audiences around the world. She estimates she’s trained over 16,000 employees so far.

Anderson’s passion for Copilot and willingness to share what she knew caught the attention of Cadie Kneip, a readiness business program manager who was trying to come up with creative ways to get more Microsoft employees to use Copilot in their day-to-day work. When Kneip launched the Copilot Champs community in January 2024, Anderson was one of the first employees she invited to join.

“Yen was one of the earliest Copilot Champs, and she’s probably the most famous,” Kneip says. “She’s just naturally passionate about Copilot and AI, and she’s been insanely generous with her knowledge companywide.”

Powered by the enthusiasm of employees like Anderson, Copilot Champs has taken off. In less than a year, more than 6,000 Microsoft employees have joined the program, Kneip says. It’s a great example of Microsoft Digital’s Customer Zero philosophy, which pushes employees to use the company’s latest tools and technologies.

“My focus has been on amplifying use of Copilot inside of Microsoft for full adoption for Customer Zero,” Anderson says. “I think if we fully embrace Copilot internally at Microsoft, we’re better equipped to help our customers fully embrace Copilot as well.”

A passion for prompting and saving time

Anderson’s internal advocacy and external promotion of Copilot—she frequently posts about ways to save time and work smarter with AI on LinkedIn and in her personal Substack newsletter—focuses on practical tips and strategies that have broad appeal.

“Yen always tries to keep the audience engaged,” says Brian Shaw, a principal customer success account manager in RCG and fellow Copilot Champ. “She does these interactive sessions where she shows you how she’s saving all this time using Copilot, and she has people hooked on every word. Her excitement is contagious.”

Kneip appreciates how Anderson’s deep knowledge of how to get the most out of Copilot is communicated in live demos rather than through preset examples.

“I love the way she demos Copilot—not by using screenshots or a slide deck, but with live prompting,” Kneip says. “She has an incredible reputation for being a prompt-engineering wizard.”

Anderson’s most recent training efforts have focused on how Copilot itself has evolved over the last year or so, and what she’s learned along the way. “The prompting has definitely changed from when I first started, to the point that it’s radically different,” she says.

Yen Anderson’s top five Copilot prompting tips

How AI can improve job satisfaction and work/life balance

Anderson’s excitement about helping others unlock the power of Copilot is directly connected to the impact the tool has had on her own life.

“I’ve seen dramatic increases in my productivity and my well-being,” she says. “Copilot has the ability to help alleviate some of the problems with work today, like too many meetings, being overloaded, and not having time to do focused work. I’m a huge advocate of mental health in the workforce, and when you combine these productivity tools and mental frameworks with AI, that combination is a game changer in terms of improved work/life balance.”

One daunting task that Anderson was able to make easier through Copilot was employee self-reviews, known as Connects internally at Microsoft. She created a set of highly guided prompts that allowed employees to use Copilot to help them craft their self-reviews. She partnered with Human Resources to make sure the set of Connect-writing prompts that she created not only complied with company rules and regulations, but that it supported HR’s goals of helping to make the experience easier and more rewarding for employees.

Anderson also worked with Kneip to distribute train-the-trainer sessions on her Connect-writing prompts.

“Yen and I did several ‘Copilot for Your Connects’ sessions, and we also ran a Teams channel called Connects Helpline to answer questions about prompts,” Kneip says. “Microsoft is a competitive place, but Yen is so generous with her time in helping other employees. This is not her regular job, but she does this extra work because she believes it’s valuable and the right thing to do.”

The future of Microsoft 365 Copilot

Anderson herself can’t wait to see what happens in the world of work as Copilot and other AI tools get better and better.

“I’m really excited about the use of agents, where a string of Copilots are working on our behalf,” she says. “Eventually, I want to be able to dictate to Copilot and say, ‘Send my team a communication about this topic, and distribute it to all the relevant Teams channels, and then create a nice flyer in order to incentivize people.’ And then Copilot will go off and do that for me.”

Anderson believes that this is the true power of AI: to free up humans so they have the time and energy to pursue things they are truly passionate about.

“It’s definitely changed my life. Because of Copilot, I’ve rediscovered my love of writing and being creative again. I’d forgotten about all of that,” she says. “And I hope I can empower others to unlock something inside of them that they’ve forgotten about and give them the time and freedom to pursue the things that give them joy. That’s why it’s so exciting to be at Microsoft, at the forefront of AI.”

Here are some tips from Anderson on how you can get started with Copilot prompting:

• Diversify: Add variety in sentence structure or vocabulary to your prompts.
• Elaborate: Add more detail or explanation to a given point.
• Explain: Make the meaning of something clearer in the rewrite.
• Exaggerate: When you want to add hyperbole in the rewrite.
• Illustrate: Provide examples to better explain the point.
• Paraphrase: Useful when you want to avoid plagiarism.
• Reframe: Change the perspective or focus on the rewrite.
• Simplify: Reduce the complexity of the language.

• Try Microsoft 365 Copilot.
• Make a difference. Become a Champion.

Check out some Anderson’s top Copilot-related tips and tools:

• Check out this example of Anderson’s favorite and most effective productivity hack: time-blocking.
• Want to be more productive? Here are tips from Anderson on how to do exactly that.
• Break out of your Friday routine with these tips from Anderson that will give you a boost that lasts through your Mondays.
• Here’s how to get time-blocking right (and what not to do).
• Check out and sign up for Anderson’s newsletter.

Check out these suggestions on how to get more out of Microsoft 365 Copilot:

• Here is where to go to get started with Microsoft 365 Copilot.
• Read our guide for deploying Microsoft 365 Copilot at your company.
• Learn how we’re tackling Microsoft 365 Copilot governance internally at Microsoft.

• Want more information? Email us and include a link to this story and we’ll get back to you.
• Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Transform your IT operations with Microsoft 365 Copilot: Insights from a champion appeared first on Inside Track Blog.