M365.FM - Modern work, security, and productivity with Microsoft 365

How Enterprises Should Govern Microsoft Copilot

Microsoft Copilot is not just another productivity tool. It is a structural stress test for your entire Microsoft 365 environment. Most organizations still operate under a legacy “open by default” mindset built for human navigation, but AI changes the equation completely. Copilot can surface sensitive files, forgotten SharePoint content, orphaned Teams channels, and years of overshared documents within seconds. The challenge is not whether Copilot respects permissions—it does. The real problem is that most enterprise permissions were never designed for machine-speed retrieval. In this episode, we break down why governance—not licensing—is now the single most important factor in successful Copilot deployment. WHY “OUT-OF-THE-BOX” SECURITY ISN’T ENOUGH Many organizations assume Copilot is secure because it only shows users content they already have access to. But decades of poor SharePoint hygiene, inherited permissions, and “Everyone except external users” groups have created a massive visibility gap inside most tenants. AI eliminates obscurity. Sensitive documents hidden deep inside legacy sites are no longer difficult to find. Copilot can instantly synthesize and summarize information that employees were never actively searching for before. This episode explains how oversharing becomes exponentially more dangerous in the AI era and why organizations must move from “trust by default” to “verify by context.”  KEY TOPICS COVERED * The “Oversharing Multiplier” and why legacy SharePoint permissions are now a major AI risk * How indirect prompt injection attacks like EchoLeak and Reprompt change enterprise security models * Why traditional DLP is no longer enough for AI-powered workflows * How Microsoft Purview becomes the governance backbone for Copilot deployments THE NEW AI ATTACK SURFACE Copilot introduces a completely new category of enterprise risk. Instead of malware or traditional exploits, organizations now face natural-language attacks that manipulate AI behavior through documents, emails, and embedded instructions. The episode explores how Retrieval-Augmented Generation (RAG) pipelines can unintentionally process malicious instructions hidden inside business content. We discuss why prompt injection is becoming the “SQL injection” of the generative AI era and how enterprises must rethink security boundaries around prompts, context windows, and AI interactions themselves.  RISK-TIERED DEPLOYMENT STRATEGIES Turning Copilot on for everyone at once is one of the biggest mistakes organizations make. Instead, successful enterprises are following a tiered rollout model. Tier 0 focuses entirely on remediation and data cleanup before any licenses are assigned. Tier 1 introduces Copilot to low-risk technical users and Centers of Excellence. Tier 2 expands adoption to broader business units like sales and marketing, while Tier 3 is reserved for highly sensitive domains such as Finance, HR, and Legal. This episode explains how a phased deployment model prevents rollout failures, reduces governance panic, and creates measurable ROI over time.  GOVERNANCE STRATEGIES DISCUSSED * Restricted SharePoint Search as a temporary containment mechanism * Adaptive scopes and sensitivity labels inside Microsoft Purview * Prompt-level DLP enforcement for AI interactions * Lifecycle management for AI-generated content and summaries PURVIEW, DLP, AND AI GOVERNANCE IN 2026 Microsoft Purview is evolving into the operational control plane for enterprise AI. In this episode, we explore how Purview enables organizations to classify content dynamically, monitor AI interactions in real time, and enforce AI-specific governance policies. We also discuss the rise of Interaction DLP—security controls designed specifically for prompts and generated responses rather than static files. From preventing sensitive prompts from reaching external web grounding to monitoring AI-generated summaries, modern governance now operates directly inside the interaction layer itself.  THE EXECUTIVE TRUST PARADOX Enterprise leaders understand that AI is strategically necessary, but many still lack confidence in their organization’s data foundation. This creates what we call the “Executive Trust Paradox”—the tension between urgency to deploy AI and fear of catastrophic oversharing or hallucination events. The episode explores why governance maturity—not technology maturity—is now the primary blocker for enterprise-scale Copilot adoption. We also discuss how telemetry, auditability, and measurable controls help organizations move from policy theater to operational reality.  BUILDING A GOVERNANCE-AWARE CULTURE Technology alone will not solve AI governance challenges. Organizations must also close the “Prompt Literacy” gap by teaching employees how to interact with AI systems responsibly and effectively. We explain why prompting is becoming a core digital skill and why governance frameworks must include training, departmental AI champions, human-in-the-loop verification, and clear accountability standards for AI-generated content. Successful Copilot deployments are ultimately built on a combination of technical controls, operational discipline, and cultural maturity.  IN THIS EPISODE YOU’LL LEARN * Why Copilot exposes existing governance failures instead of creating new ones * How enterprises should structure AI rollout tiers based on risk * The role of Microsoft Purview in AI governance and compliance * Why AI-generated content requires lifecycle management and retention policies * How organizations can measure realized ROI instead of theoretical productivity gains * Why governance-aware culture is now a competitive advantage Microsoft Copilot has the potential to fundamentally transform enterprise productivity, but only if organizations treat governance as infrastructure instead of a compliance afterthought. AI success is no longer determined by who buys the licenses first. It is determined by who builds the safest, cleanest, and most governable digital estate. This episode delivers a practical roadmap for IT leaders, architects, security teams, and executives navigating the future of Microsoft 365 AI governance in 2026 and beyond. Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support [https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support?utm_source=rss&utm_medium=rss&utm_campaign=rss].

Too Many Places for Notes: Navigating OneNote, Loop, Copilot, and More with Karinne Diamond Bessette [MVP]

In this episode of the m365.fm podcast, Mirko Peters sits down with Microsoft MVP, educator, technical storyteller, and community leader Karinne Diamond Bessette to explore one of the biggest productivity challenges in the modern workplace: information chaos. Between OneNote, Loop, Teams, Copilot, Planner, Whiteboard, Outlook, and SharePoint, employees today have more places than ever to store ideas, tasks, meeting notes, project updates, and collaborative content. The result? Many organizations struggle to decide where information should actually live and how to keep everything organized, searchable, and actionable. THE EVOLUTION OF MICROSOFT 365 COLLABORATION Karinne shares her journey from support engineering and operations into the world of enablement, technical storytelling, and Microsoft 365 advocacy. Her experience helping both technical and non-technical users gives her a unique perspective on how collaboration tools should work in real-world environments. Throughout the episode, she repeatedly emphasizes the importance of translating technology into something humans can actually understand and use effectively. One of the central themes in the discussion is the growing complexity of the Microsoft 365 ecosystem. What once started as a productivity suite focused on Word, Excel, and Outlook has evolved into a massive connected collaboration platform with overlapping tools, AI integrations, and constantly changing workflows. Karinne explains that while flexibility is valuable, it also creates a major challenge for users trying to decide where to create notes, how to manage information, and how to avoid duplication. WHY ONENOTE STILL MATTERS The conversation dives deeply into the evolution of note-taking itself. Karinne explains how she originally moved from scattered text files on her desktop into OneNote because it allowed her to centralize and search information more effectively. However, she also introduces one of the most memorable quotes of the episode: “OneNote is where notes go to die.” The problem, according to Karinne, is not that OneNote is bad. The issue is that many users capture information inside notebooks but never revisit it, organize it properly, or connect it to actionable workflows. Important ideas often disappear into large personal notebook structures without reminders, visibility, or collaboration. HOW LOOP IS CHANGING TEAMWORK This naturally leads into one of the episode’s biggest topics: Microsoft Loop. Karinne explains why Loop has become one of her favorite tools inside the Microsoft ecosystem. She describes Loop as a bridge between email, Teams, tasks, and collaborative content. Rather than creating multiple copies of information across different applications, Loop allows users to maintain a single shared component that stays synchronized everywhere it appears. This creates what she calls a “single source of truth” experience for collaboration. The episode explores several practical use cases where Loop becomes extremely powerful: * Shared meeting notes * Collaborative task tracking * Persistent project updates * Cross-team coordination One of the most interesting insights from the discussion is that many organizations are already using Loop without realizing it. Karinne explains how modern Microsoft Teams meeting notes now automatically generate Loop-powered collaborative pages behind the scenes. Instead of meeting notes disappearing inside endless Teams chats, organizations can now maintain persistent collaborative workspaces connected to tasks, updates, and shared action items. COPILOT PAGES, NOTEBOOKS & AI CONTEXT The conversation also dives into Microsoft Copilot Pages and Copilot Notebooks, which Karinne sees as the next evolution of contextual AI collaboration. These tools allow organizations to gather multiple information sources into centralized workspaces that can then ground AI responses against a specific project context. Karinne shares a practical example from a large event project where she combined: * Emails * Teams messages * Planning calls * Loop pages into one centralized notebook. She was then able to ask Copilot to generate summaries, identify action items, and surface the most relevant information for her specific responsibilities during the event. Tasks that previously would have required hours of manual review were completed in minutes. THE FUTURE OF ENTERPRISE SEARCH Another major theme throughout the episode is enterprise search and how AI is fundamentally changing the way organizations retrieve information. Karinne explains that traditional folder structures and file organization are becoming less important because Copilot increasingly understands context, relationships, and semantic meaning rather than relying purely on filenames or locations. She shares an example where she could not manually locate an old PowerPoint presentation but was able to ask Copilot about a presentation tied to a specific event date — and the AI surfaced the correct file almost instantly. This shift toward contextual search represents one of the biggest changes in knowledge management the Microsoft ecosystem has ever seen. WHY GOVERNANCE & METADATA MATTER MORE THAN EVER The discussion also highlights the growing importance of metadata, governance, and information hygiene in the AI era. Karinne introduces the concept of “ROT data,” which stands for: * Redundant * Obsolete * Trivial content that pollutes enterprise systems and weakens AI-generated responses. She explains that organizations now face an urgent challenge: AI systems can only be as trustworthy as the information they are trained or grounded on. If outdated documents, duplicated files, poor metadata, or irrelevant content dominate enterprise storage systems, AI tools may surface inaccurate or misleading information. Because of this, Karinne strongly advocates for better governance practices, including document ownership, lifecycle management, expiration reviews, and relevance monitoring. She also discusses how Microsoft is beginning to introduce mechanisms that reduce the importance of stale or untouched content inside AI-powered search experiences. ENABLEMENT IS THE MISSING PIECE Another powerful part of the episode focuses on workplace enablement and digital adoption. Karinne believes organizations need more people acting as translators between technical systems and business users. She explains that technology alone does not create productivity. Companies need internal champions who can guide users, simplify concepts, encourage learning, and help teams understand how tools should actually fit into their daily workflows. The episode highlights how organizations often underestimate the importance of: * Training * Adoption programs * Internal champions * Learning culture without realizing these elements are often the real reason technology projects succeed or fail. AI, CREATIVITY & HUMAN COLLABORATION The episode also touches on AI creativity, collaboration, and the fear that AI may reduce human thinking. Karinne strongly disagrees with the idea that AI makes people less intelligent. Instead, she sees AI as a brainstorming partner and creative accelerator that can help users refine ideas, organize concepts, and improve communication. She shares examples of using AI to enhance presentation structures, storytelling, and content development while still relying heavily on human expertise and editing. According to Karinne, AI works best when humans stay actively involved in shaping the final outcome. THE FUTURE OF WORK INSIDE MICROSOFT 365 Toward the end of the conversation, the discussion shifts toward future Microsoft 365 trends. Karinne highlights how Microsoft is increasingly moving toward AI-grounded collaboration, context-aware productivity, integrated workspaces, and agent-driven workflows. She believes the future of work will rely less on manually navigating applications and more on AI systems capable of understanding intent, surfacing context, and orchestrating workflows automatically. The conversation paints a picture of a future where collaboration becomes: * More contextual * More intelligent * More connected * More AI-assisted while still requiring strong governance, clean information architecture, and Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support [https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support?utm_source=rss&utm_medium=rss&utm_campaign=rss].

Secure-by-Design AI: Protecting MLOps in the Microsoft Cloud with Martin Dimovski [MVP-MCT]

In this episode of the m365.fm podcast, Mirko Peters sits down with Microsoft MVP, MCT, cloud security expert, and community leader Martin Dimovski to explore one of the most important topics in modern enterprise IT: securing AI workloads and MLOps environments inside the Microsoft Cloud. Together, they dive deep into secure-by-design architecture, AI security risks, DevSecOps, Prompt Injection attacks, identity protection, Microsoft Defender, GitHub Advanced Security, and the future of AI-driven cyber threats. Martin shares his personal journey from IT support engineer into cloud security and AI security architecture, explaining how years of experience in infrastructure, Azure, DevOps, and Microsoft technologies ultimately pushed him toward cybersecurity and AI governance. The discussion highlights why AI security is no longer optional and why organizations that move too fast without proper security foundations could face major problems in the coming years. WHY AI SECURITY MATTERS NOW MORE THAN EVER One of the strongest themes throughout this episode is the speed at which organizations are deploying AI systems without fully understanding the security implications behind them. Martin explains that many companies are currently: * Deploying AI solutions rapidly * Experimenting with LLM integrations * Building AI agents * Creating cloud-native AI workloads * Using open-source AI models * Integrating APIs into production environments But at the same time, organizations often forget the security fundamentals that should protect these environments. The conversation explores how AI introduces completely new attack surfaces while simultaneously amplifying existing security problems. WHAT “SECURE-BY-DESIGN” REALLY MEANS A major focus of the episode is understanding the concept of secure-by-design architecture. Martin explains that security should never be added after development is complete. Instead, security conversations must begin at the very first design phase of any application or AI project. The discussion covers: * Threat modeling * Architectural reviews * Identity security * Authentication planning * Secure pipelines * Infrastructure protection * Secure APIs * Data governance Martin shares why collaboration between developers, architects, DevOps engineers, and security teams is absolutely essential for building resilient AI systems. One of the key takeaways: Security teams should not become blockers for innovation — they should become partners in building secure systems. UNDERSTANDING MLOPS & DEVSECOPS For listeners newer to AI infrastructure topics, Martin breaks down the differences between: * DevOps * DevSecOps * MLOps * Secure AI pipelines The episode explains how machine learning operations combine infrastructure, automation, data engineering, model deployment, and monitoring into one continuous operational process. Martin also highlights why traditional security approaches are no longer enough once organizations start integrating: * Large Language Models * AI agents * Cloud AI services * AI APIs * AI orchestration pipelines The discussion shows how modern security must now cover not only infrastructure and applications, but also models, prompts, training data, inference pipelines, and AI-generated outputs. THE REAL DANGER OF PROMPT INJECTION One of the most fascinating parts of the episode is Martin’s explanation of Prompt Injection attacks. Using simple real-world analogies, Martin explains how attackers manipulate Large Language Models by overriding or bypassing original system instructions. The conversation explores: * Direct Prompt Injection * Indirect Prompt Injection * AI manipulation * LLM instruction abuse * Malicious prompts * Unsafe AI agents * Context hijacking * Data extraction risks Martin explains why prompt injection is becoming one of the most discussed attack vectors in AI security today and why organizations need to start thinking about AI trust boundaries immediately. THE HIDDEN RISK OF OPEN-SOURCE MODELS Another major topic is the increasing use of publicly available AI models. Martin shares concerns around: * Downloading unverified models * Compromised Hugging Face repositories * Malicious AI packages * Unsafe dependencies * Supply-chain attacks * API key exposure * Secret leakage * Public model poisoning The discussion highlights how organizations may unknowingly introduce compromised models directly into production environments. This section serves as a major warning for companies rushing into AI adoption without proper governance and validation processes. WHY IDENTITY SECURITY IS EVERYTHING Identity and access management become another core theme throughout the episode. Martin strongly emphasizes the importance of: * Microsoft Entra ID * Privileged Identity Management * Just-In-Time access * Least privilege * Identity governance * Access reviews * Role separation * Conditional Access One of the strongest lessons from the conversation is that attackers often do not need to break systems — they simply abuse existing permissions and weak access configurations. Martin explains why organizations should avoid giving permanent privileged access and instead embrace short-lived administrative permissions wherever possible. MICROSOFT DEFENDER & AI SECURITY The episode also dives deeply into the Microsoft security ecosystem and how Microsoft Defender is evolving to protect AI workloads. Martin discusses: * Microsoft Defender for Cloud * Defender XDR * AI workload monitoring * Real-time scanning * Azure AI Foundry protection * Threat visibility * Security telemetry * Cloud-native protection According to Martin, Microsoft Defender is becoming one of the most powerful unified security platforms for organizations heavily invested in Microsoft technologies.  Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support [https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support?utm_source=rss&utm_medium=rss&utm_campaign=rss].

Inside Enterprise Security: AD Tiering & Privileged Access with Viktor Hedberg [MVP - MCT]

In this episode of the m365.fm podcast, Mirko Peters sits down with cybersecurity expert Viktor Hedberg to explore one of the most critical — and misunderstood — areas of enterprise IT security: Active Directory tiering, privileged access, identity protection, and defending modern hybrid environments. With years of experience in incident response, offensive security, Active Directory hardening, and enterprise defense at Truesec, Viktor brings practical, real-world insights into how organizations can dramatically improve their security posture before attackers exploit their weaknesses. The conversation begins with Viktor sharing his personal journey into cybersecurity. Unlike many traditional security professionals, Viktor did not come from a university background. Instead, he worked his way from helpdesk and system administration into consultancy and incident response, gaining deep technical knowledge of Windows, Active Directory, infrastructure, and enterprise security along the way. That hands-on experience became the foundation for understanding both how to secure systems and how attackers compromise them. WHY ACTIVE DIRECTORY IS STILL A MASSIVE TARGET One of the strongest themes throughout the episode is the fact that Active Directory is far from dead. Despite the rise of Microsoft Entra ID, cloud-first environments, and SaaS adoption, Active Directory still remains the backbone of identity and access management in countless organizations worldwide. Viktor explains why attackers continue targeting Active Directory environments: * Cached credentials * Password hashes stored locally * Kerberos tickets * Overprivileged accounts * Weak administrative separation * Poor tiering implementation * Excessive lateral movement opportunities The discussion highlights how many organizations unknowingly expose highly privileged accounts simply by allowing administrators to sign into workstations, laptops, and servers without restrictions. Viktor explains that in many environments, compromising a single endpoint can ultimately lead to full domain compromise because of how Windows authentication and credential storage work internally. UNDERSTANDING AD TIERING A major focus of the episode is understanding the concept of Active Directory administrative tiering. Viktor breaks down how organizations can separate systems and administrative responsibilities into different security tiers to limit credential exposure and reduce the blast radius during an attack. The discussion explores: * Tier 0 systems * Tier 1 servers * Endpoint administration * Domain controllers * Entra Connect servers * PKI infrastructure * Administrative boundaries * Credential isolation One of the key lessons from the episode is that organizations often underestimate which systems actually belong in Tier 0. Viktor explains why systems like Microsoft Entra Connect, PKI servers, SCCM infrastructure, and identity synchronization services can effectively become equivalent to domain controllers from a security perspective. THE DANGER OF BUILT-IN ACTIVE DIRECTORY GROUPS Another critical topic is the misuse of built-in Active Directory groups. Viktor shares real-world examples where organizations accidentally introduced major privilege escalation paths by using groups like: * Print Operators * Backup Operators * Server Operators * Account Operators The episode explains why many administrators misunderstand the true permissions behind these legacy groups and how attackers can abuse them to gain elevated access inside the domain. This section serves as a strong reminder that convenience and lack of visibility often create the biggest enterprise security risks. MODERN ATTACKERS ARE CHANGING THEIR STRATEGY One of the most fascinating discussions in the episode focuses on how modern attackers operate today. According to Viktor, traditional offensive tools like Mimikatz, Metasploit, and obvious malware payloads are becoming less common because modern EDR solutions detect them more effectively. Instead, attackers increasingly: * Use native Windows tooling * Abuse PowerShell * Leverage SSH on Windows * Blend into normal system activity * Exploit legitimate administration features * Hide inside normal enterprise traffic Viktor shares examples of how attackers can abuse built-in Windows functionality to bypass monitoring while avoiding traditional malware detection methods entirely. The episode highlights why defenders must understand Windows internals — not just security products — to properly defend enterprise environments. WHY DEFENDER FOR IDENTITY MATTERS Throughout the conversation, Viktor repeatedly emphasizes the importance of Microsoft Defender for Identity and proper security monitoring. The discussion covers: * Identity-based attack detection * Correlation between endpoint and identity events * Privileged account monitoring * Threat visibility * Hybrid identity protection * Security telemetry * Custom indicators * Advanced detection strategies Viktor explains why organizations need both endpoint visibility and identity visibility to properly understand modern attacks. The episode also explores why simply purchasing security products is not enough if organizations fail to configure them correctly or actively monitor their environments. WHAT TO DO DURING A CYBER ATTACK One of the most practical parts of the episode is Viktor’s advice on incident response. When organizations suspect an attack, Viktor strongly recommends: * Do not shut systems down * Disconnect network access if necessary * Preserve forensic evidence * Avoid destroying logs * Contact incident response professionals quickly * Keep systems intact for investigation He explains how many organizations accidentally make investigations harder by turning off firewalls, rebooting systems, or deleting evidence before responders arrive. The conversation provides valuable insight into how professional incident response teams approach compromised environments and why preserving evidence is absolutely critical. Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support [https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support?utm_source=rss&utm_medium=rss&utm_campaign=rss].

Why Simplicity Wins in Microsoft 365 with Evi van der Velden [MVP]

In this episode of the m365.fm podcast, Mirko Peters sits down with Microsoft MVP Evi van der Velden to discuss one of the most underestimated topics in modern IT: simplicity. Together, they explore Microsoft 365 governance, Copilot adoption, metadata, SharePoint, user adoption, digital stress, AI readiness, and why organizations often make technology far more complicated than it needs to be. Evi shares her unique journey into the Microsoft ecosystem, moving from leisure management and event organization into the world of Microsoft 365, user adoption, and governance. In just five years, she became a recognized Microsoft MVP and one of the strongest voices in the community around practical Microsoft 365 adoption and simplification strategies. The conversation focuses heavily on the human side of technology and why successful Microsoft 365 environments are not built only through technical configurations, but through communication, training, governance, and helping users understand how to work smarter. WHY MICROSOFT 365 FEELS OVERWHELMING One of the biggest themes in this episode is the increasing complexity of the Microsoft ecosystem. Evi explains how Microsoft 365 has evolved far beyond Word, Excel, and PowerPoint into a massive connected platform including Teams, SharePoint, OneDrive, Power Platform, Copilot, Viva, and many other services. While the platform offers incredible flexibility and possibilities, many organizations struggle because users simply do not understand how the tools work together. The discussion explores: * Information overload * Tool fatigue * User confusion * Rapid feature changes * AI disruption * Governance complexity Evi shares why simplicity is not about removing functionality, but about helping users focus on the right tools and the right workflows for their daily work. THE REAL VALUE OF SHAREPOINT One of the most interesting parts of the episode is Evi’s passion for SharePoint. While many people still think of SharePoint as only a document management platform, Evi explains why she sees SharePoint as the engine behind the entire Microsoft 365 ecosystem. The conversation dives into: * SharePoint Lists * Document libraries * Metadata * Power Platform integration * Power Apps * Power Automate * Lifecycle management * Knowledge management Evi shares practical examples of how SharePoint can be used as a flexible front-end for business solutions and automation without creating unnecessary technical complexity. WHY COPILOT ADOPTION OFTEN FAILS The discussion naturally shifts toward Microsoft Copilot and AI adoption. Evi explains that many organizations still approach Copilot completely wrong. They buy licenses, provide one training session, and then expect employees to magically change the way they work. According to Evi, successful Copilot adoption requires: * Continuous enablement * Habit creation * Business-specific use cases * AI literacy * Governance * Ongoing communication * User support The episode explores why many employees know how to use ChatGPT casually at home but struggle to use AI effectively inside enterprise business scenarios. Evi also explains why organizations need to provide safe AI environments and guidance rather than simply blocking AI usage completely. AI IS A MIRROR FOR ORGANIZATIONS One of the strongest insights from the episode is Evi’s perspective that AI does not create organizational problems — it exposes them. The conversation highlights how Microsoft Copilot surfaces: * Poor permissions * Outdated files * Overshared content * Weak governance * Unstructured data * Missing lifecycle management Organizations that ignored governance for years are now discovering that Copilot makes those issues visible immediately. Evi explains why AI readiness is not only about licensing or technology but about understanding: * Data quality * Permissions * Archiving * Information architecture * Governance ownership * User responsibilities THE IMPORTANCE OF METADATA Another major topic in the episode is metadata and why Evi believes it is one of the most powerful — and most ignored — features inside SharePoint. Instead of relying only on deeply nested folder structures, Evi explains how metadata can create: * Dynamic document views * Role-based knowledge access * Cleaner navigation * Better search experiences * Simplified information management She shares practical examples of building knowledge bases using SharePoint libraries and metadata-driven filtering to ensure employees only see information relevant to their role. The episode makes a strong case for moving away from traditional file structures toward modern information architecture. SIMPLICITY VS CUSTOMIZATION Evi also shares her thoughts on customization inside Microsoft 365. While many IT professionals enjoy building custom solutions, Evi warns that over-customization often creates long-term maintenance problems and unnecessary complexity. Her philosophy is simple: “Everything you build can break.” The discussion explores why organizations should first maximize standard Microsoft 365 capabilities before creating heavily customized solutions. Key areas include: * Standardization * Governance * Sustainable architecture * Native Microsoft functionality * User-focused design * Simplicity-first thinking WHY CHANGE MANAGEMENT MATTERS MORE THAN EVER One of the most important takeaways from this conversation is that modern IT is becoming less technical and more human-focused. Evi explains that administrators and IT teams increasingly need skills in: * Communication * User adoption * Governance * Change management * Training * Organizational guidance Technology alone no longer guarantees success. The organizations that succeed with Microsoft 365 and AI are the ones that help employees understand how to work differently, not just how to use another tool.  Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support [https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support?utm_source=rss&utm_medium=rss&utm_campaign=rss].