Shaping the future of retail with AI and Dynamics 365

Shaping the future of retail with AI and Dynamics 365

by | Jan 11, 2024 | Dynamics 365, Microsoft 365, Technology

This article is contributed. See the original author and article here.

In an industry defined by both growth and disruption, retailers are depending on technology to navigate challenges ranging from shifting purchase habits to supply chain complexities. Next week, at the National Retail Federation (NRF) Big Show, Microsoft will demonstrate Dynamics 365 solutions powered by AI to help accelerate retail agility and innovation in the next decade.  

owner of a retail store holding a tablet

Gain valuable AI insights for your business

Learn more at the National Retail Federation Big Show


Register here

In addition to solutions powered by Microsoft Cloud for Retail, this vision for the future of retail is spotlighted by new Copilot capabilities for Dynamics 365 applications, including:  

  • Microsoft Dynamics 365 Customer Insights, providing retailers with AI-powered experiences to transform daily marketing workflows. 
  • Microsoft Dynamics 365 Supply Chain Management, providing AI powered guidance for demand planning, streamlining procurement, and enhancing supply chain visibility. 

NRF attendees can learn more about the transformative power of AI across the retail industry by attending two Big Ideas Sessions hosted by Shelley Bransten, Corporate Vice President, Global Retail, Consumer Goods, and Gaming Industries, and Kathleen Mitford, Corporate Vice President, Global Industry Marketing. 

Helping retailers personalize the shopping experience  

Retailers often tell us that they’re under pressure to get marketing and customer experience projects and campaigns to market faster and are asked to do more with less. Yet, the processes and tools they use haven’t evolved to meet this demand.  

Deploying a project to market requires various roles or specialists, costly third-party agencies, and siloed applications to review data and create content. Monitoring results for optimization also becomes a timely and tedious task, having to track down the right people with the right application and the right data. These challenges not only hinder a campaign’s time to market and employee productivity, but can also result in a disjointed customer experience.

It’s not just our customers who are feeling the burden of these challenges. The market is feeling it too. For instance, 63% of surveyed retailers said they hope they can improve their marketing with AI in the next 18 to 24 months.1 In the age of AI, shouldn’t it be easier to get your campaigns to market?  

We are announcing new Copilot features in Dynamics 365 Customer Insights that will transform how marketers manage and maintain projects and campaigns, increasing productivity, efficiency, and speed to market. These new capabilities build on Copilot features introduced in the past year, including, but not limited to, the ability to generate content ideas, query customer data using natural language, and create customer segments and journeys using next-generation AI. 

Marketers can kick-start their marketing project by writing their campaign objective in natural language, or by uploading an existing creative brief. The project board is then generated using the prompt or brief, connected organizational data, and previous campaigns in Customer Insights. The project board streamlines and connects all workflows into one place for building and managing marketing assets. 

Copilot screen in Dynamics 365 Customer Insights, showcasing a user-friendly interface empowering customers to initiate and streamline their marketing projects effortlessly.

“These new copilot capabilities in Dynamics 365 Customer Insights will enable us to focus our time and energy in the right places—better informing us on optimization priorities without the need to dig into details manually. That alone saves so much time.” 

—Hannah Harper, Leatherman, Digital Marketing Manager 

From the project board, marketers can view the campaign’s target audience and segments, as well as recommendations from Copilot for additional segments that may not have been previously considered. Selecting a suggested audience segment automatically generates a complementary customer journey, saving marketers time while also helping them deliver a personalized customer experience. 

Dynamics 365 Customer Insights' project board—highlighting curated audiences for streamlined marketing customization

End-to-end customer journeys containing personalized touchpoints, such as promotional emails or event invitations, are generated using Copilot. Through our partnership with Typeface and its enterprise-grade generative AI capabilities, marketers can produce brand-authentic images across assets, supercharging personalized content for greater impact—all from within Dynamics 365 Customer Insights. Additionally, Typeface helps align content to the organization’s brand guidelines, including themes, fonts, and product images—extracted from a central asset library.

“Every aspect of the enterprise is already being redefined with generative AI, from developer to product to sales experiences. By combining Dynamics 365 Customer Insights with Typeface’s powerful storytelling engine, we’re fundamentally reshaping campaign workflows with generative AI by starting with just a goal. This means personalizing content at an unprecedented scale, bridging the gap between content and data, and ushering in a new era of marketing creativity and productivity.”

Abhay Parasnis, Founder and CEO of Typeface 

These Copilot capabilities will be available in preview in the first quarter of 2024, with general availability by the third quarter of 2024. Existing Customer Insights customers can sign up now for the early access public preview program here.

This is just the beginning; we will be delivering further content curation, journey testing, and metrics monitoring to optimize campaigns. Our vision is that, together, this new AI-first experience will transform how marketers work by reducing the complexities of end-to-end campaign management and enhancing marketer productivity and ROI.

Click the image below to watch a video and learn more about our vision.  

Build a real-time retail supply chain 

In 2024, retail supply chains face countless challenges, from labor shortages and increasing costs to complexities across omnichannel retail experiences. Enterprise AI solutions, now readily available for retailers, can power greater efficiency, productivity, and innovation across the supply chain.  

At Microsoft, we aim to deliver new supply chain innovations powered by Copilot to our customers through our open, flexible, and collaborative Microsoft platform; helping organizations to reduce risk, manage inventory, plan with flexibility, and make quick decisions across the whole supply chain.   

New copilot capabilities to improve demand planning 

A retailer’s success hinges on having the right inventory at the right place at the right time, and that starts with successful demand planning. We recently announced new demand planning capabilities in Dynamics 365 in November 2023 that uses AI, machine learning, and external signals to predict demand accurately, and now we are enhancing it with Copilot. This will help planners understand how a forecast was generated and help them find patterns and anomalies. 

Copilot will also help them make sense of complex relationships across datasets using natural language interactions, and it will also assist with the routine tasks of making demand review reports, saving the planners time to focus on high-priority activities. 

chart, line chart

Some of our customers, including Domino’s Pizza UK & Ireland, can use the new demand planning capabilities to make smart predictions from the data and insights.

“The demand planning capabilities in Dynamics 365 are helping us make the right decisions to lower wastage, avoid unnecessary deliveries, and be cybersafe.”

Neha Batra, Head of Business Solutions, Domino’s Pizza UK & Ireland

The new demand planning capabilities create a more flexible, simplified, and intuitive user experience. Planners have an increased level of trust and can rely more on the forecast, knowing how it’s generated. The latest demand planning capabilities help reduce excess inventory and increase working capital for retailers.

New Copilot capabilities to improve productivity and proactively mitigate disruptions  

In November 2023, we also announced new Copilot capabilities in preview for Dynamics 365 that enable supply chain teams to take actions based on insights with conversational help while in the flow of work. This helps increase productivity and improved collaboration among employees across the supply chain and other cross-functional teams to proactively mitigate disruptions and further automate their workflows. See the capabilities in action.  

graphical user interface, text, application, email

We also added new Copilot capabilities that will enhance inventory visibility and enable businesses to promise orders with improved accuracy, significantly helping brands elevate their consumers’ buying experience.   

In addition, a new copilot capability that helps to streamline procurement is now generally available. Procurement teams can seamlessly handle the purchase order changes in a scalable and efficient manner and assess the impact of changes downstream to production and distribution before making the right decision.   

Generate product enrichment content for e-commerce sites with Copilot 

Informative, story-rich product content can drive customer engagement and sales on e-commerce sites. Creating that content, however, can be time-consuming and challenging. In October 2023, we launched in preview the ability for business-to-business and business-to-consumer online retailers to use Copilot in Dynamics 365 Commerce to generate enriched product marketing content for their websites. This helps to decrease the time it takes to create compelling marketing content, while increasing productivity and increasing the overall number of online orders.

Visit our Microsoft booth at NRF this year to see these innovations in action.  

Discover the future of retail at NRF 2024 

Learn more about Dynamics 365 solutions for the retail industry and retail solutions introduced at NRF 2024. If you are registered for NRF 2024, we invite you to stop by our booth for demos of our solution and attend the following sessions:  

Retail unlocked: achieve more with Microsoft: Hosted by Shelley Bransten, Corporate Vice President, Global Retail, Consumer Goods and Gaming industries, Microsoft  

Sunday, January 14, 2024  | 1:00 – 1:30 PM  Eastern Standard Time (EST)

Join this interactive session to hear about one retailer’s AI journey to date. Hosted by Microsoft’s Corporate Vice President, Retail, Consumer Goods & Gaming Industries, Shelley Bransten, you’ll also learn about new AI-focused findings from Futurum Research and all new AI capabilities in Microsoft Cloud for Retail that will help power your AI transformation.    

Unlocking true customer-centricity: optimizing touchpoints across the shopper journey with AI: Hosted by Kathleen Mitford, Corporate Vice President, Global Industry Marketing   

Monday, January 15, 2024  | 11:45 – 12:15 PM  EST

Generative AI and large language models have captured the attention of executives across industries. While the technology’s use cases seem endless, smart retailers and brands must identify and prioritize the applications of generative AI that will be most valuable to their organization and partner with organizations who will treat their data with the highest privacy standards. Join us to hear how Microsoft is helping organizations large and small maximize their generative AI opportunities safely and responsibly.   

Unify your data to unlock AI opportunities: Hosted by Satish Thomas, Corporate Vice President, Microsoft Industry Clouds   

Tuesday, January 16, 2024 | 1:00 – 1:45 PM EST

Retailers are swimming in data all day, every day. Even with sophisticated legacy technologies and cutting-edge data science, the majority of that data goes uncollected. Insights stay hidden—often in plain sight. But that’s starting to change. AI tools are enabling retailers to understand their customers, merchandising, supply chains, operations, and workforces better than ever before. Join us to hear about the myriad insights that retailers are drawing from newfound and increasingly precise data sources to run leaner, smarter stores.    

1 AI Adoption in Retail Survey, The Futurum Group, 2024

The post Shaping the future of retail with AI and Dynamics 365 appeared first on Microsoft Dynamics 365 Blog.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

Enabling security and management across all your SMB customers with Microsoft 365 Lighthouse

Enabling security and management across all your SMB customers with Microsoft 365 Lighthouse

by | Jan 10, 2024 | Technology

This article is contributed. See the original author and article here.

One of the common adoption blockers we have heard of from our partners is that they cannot standardize their security and management practices on Microsoft 365 Lighthouse because they cannot manage all their customers using it. This has made it challenging to standardize procedures such as resetting passwords, identifying risky users, or simply navigating a customer admin portal with delegated access. While we made it simple to search and discover users across the SMB customers you were managing in Microsoft 365 Lighthouse, you still needed a second process for the customers you were not managing in Microsoft 365 Lighthouse. This was primarily due to the requirement for Microsoft 365 Business Premium. While we have expanded support for a limited set of subscriptions to manage a customer in Lighthouse over the past couple of years, it was still limited to subscriptions that offered premium security value, preventing you from having a single solution.


 


Today, we expand support for all your commercial and educational SMB customers. This enables you as a partner to create standardized processes for managing all your SMB customers in Lighthouse. Here are a few of the scenarios you can do now with all your Microsoft 365 SMB customers using Lighthouse:



  • Anticipate your customers’ needs with proactive account management made easy with Sales Advisor opportunities.  Anticipate your customers’ needs. Discover the best ways to add value and support business growth with AI-powered insights and recommendations. 

    Learn more: Introducing Sales Advisor – unlock your customer’s potential in Microsoft 365 Lighthouse – Microsoft Community Hub
    Screenshot of Microsoft 365 Lighthouse Opportunities page with AI-powered insights and recommendations to grow a customer.Screenshot of Microsoft 365 Lighthouse Opportunities page with AI-powered insights and recommendations to grow a customer.

  • Simplified delegated access across all your customer tenants. Configure granular delegated access to your customers’ tenants to manage users, devices, and data quickly and easily. Reduce risk by rightsizing delegated permissions across your organization while improving your productivity with a guided wizard that helps you scale best practices from across the MSP industry to set up Granular Delegated Access Privileges (GDAP).

    Learn more: Set up GDAP (microsoft.com)

    Screenshot of Microsoft 365 Lighthouse Granular Delegated Access Privileges setup wizard.Screenshot of Microsoft 365 Lighthouse Granular Delegated Access Privileges setup wizard.



  • Assist with everyday user management. Lighthouse enables end-to-end user management, which allows you to create new users and quickly search and modify existing user details, including managing security groups, licensing, etc., and offboarding users. In addition to basic user management, Lighthouse adds value by providing management views across your Microsoft SMB customers that allow you to quickly identify and act on inactive accounts, Global Admin accounts, risky user behavior, and multi-factor authentication.


Screenshot of Microsoft 365 Lighthouse showing how to search for a user and view the user’s details.Screenshot of Microsoft 365 Lighthouse showing how to search for a user and view the user’s details.



  • Gain visibility into any Microsoft 365 incidents or advisories affecting your customers with a multi-tenant Service health dashboard.

    Screenshot of Microsoft 365 Lighthouse Service Health page.Screenshot of Microsoft 365 Lighthouse Service Health page.




  • One of the challenges of managing multiple customers is that you often need to use different admin portals, such as the Microsoft 365 admin center, the Azure portal, Microsoft Intune, or Exchange, to name a few.  Lighthouse lets you quickly and securely access other Microsoft admin portals for each of your SMB customers in the context of your partner tenant credentials using GDAP. Lighthouse users can leverage our security and management scenarios and seamlessly jump to another Microsoft admin portal when necessary. 



    Learn more: Manage your customers with Microsoft 365 Lighthouse


Screenshot of Microsoft 365 Lighthouse showing how to navigate into a customer’s Microsoft Entra admin portal.Screenshot of Microsoft 365 Lighthouse showing how to navigate into a customer’s Microsoft Entra admin portal.


We are just getting started and will continue to expand on the capabilities we offer to manage the breadth of customers you have in the coming months. So, check back often to learn what is new with Lighthouse.  


 


Not able to manage a customer in Lighthouse?


Here are cases where you will still find that a customer has limited management capabilities in Lighthouse and how you can change it.



  • By far, the most common cause a customer is “Limited” in that the customer tenant no longer has any active subscriptions and is no longer in use. If this is the case, the recommendation is to remove the reseller relationship (and GDAP relationships (Partner-led termination of a granular admin relationship – Partner Center | Microsoft Learn). It is a best practice to remove relationships that are no longer needed to reduce unnecessary exposure to your organization.

  • The second most common cause a customer is “Limited” is that delegated permissions (GDAP) have not been setup. You can use the GDAP setup wizard within Lighthouse to resolve this (Set up GDAP for your customers in Microsoft 365 Lighthouse – Microsoft 365 Lighthouse | Microsoft Learn).

  • customer tenant is in the Government Cloud. Unfortunately, we cannot support the management of this customer in Microsoft 365 Lighthouse.

  • The customer is not an SMB and has more than 2,500 licensed users.

  • You are not in the same geographic area as the customer. If you have customers in a different geographic area, you can set up Lighthouse in that region to manage them.

  • Lastly, some cases exist where tenants are used for Azure and not Microsoft 365. In that case, we recommend you check out Azure Lighthouse: What is Azure Lighthouse? – Azure Lighthouse | Microsoft Learn


To know why a specific customer is limited, click on Tenants link from the left navigation within Lighthouse and click the “Limited” link to bring up details on why they are not fully managed in Lighthouse:


Tenant list showing Contoso as “Limited” because delegated access has not been configured.Tenant list showing Contoso as “Limited” because delegated access has not been configured.


If you have a customer tenant using the Microsoft 365 services and you only have Limited management capabilities within Lighthouse, we want to know. You can leave comments below or use the feedback mechanism in Lighthouse. We want to enable you to manage all your active Microsoft 365 SMB customer tenants in Lighthouse.


If you already have Lighthouse, sign in and check out the links to other Microsoft admin centers at lighthouse.microsoft.com. If you don’t have Lighthouse, Sign up for Microsoft 365 Lighthouse to get started today.   

Transition to real time journeys – the time is now 

Transition to real time journeys – the time is now 

by | Jan 9, 2024 | Dynamics 365, Microsoft 365, Technology

This article is contributed. See the original author and article here.

In September 2023, we announced that Dynamics 365 Customer Insights and Dynamics 365 Marketing are coming together as one offering named Dynamics 365 Customer Insights, an AI driven solution which revolutionizes your customers’ experiences.

Within this solution are two apps:

  • Customer Insights – Data (previously known as Dynamics 365 Customer Insights) that empowers you to know your customers through 360-degree profile.
  • Customer Insights – Journeys (previously known as Dynamics 365 Marketing) allows you to engage your customers with personalized experiences based on the profile.

In the same timeframe, we also announced the transition from outbound marketing to real-time. The transition to real-time is independent from product name or licensing changes.

New customer environments only include real-time journeys and event management. Existing customers, if necessary, can add outbound marketing through a self-serve interface. We will continue to support outbound marketing but will not be adding new enhancements.  We encourage all customers to transition to and use the exciting new capabilities available in real-time journeys. In this blog we cover how to plan for the transition to real-time and the resources that are available to you to help make this seamless. 

How do the changes impact me? 

If you are a new customer of the Customer Insights – Journeys app, you get real-time journeys only (including Event planning). So you start with the most current and advanced technology and avoid the time & expense of transitioning from outbound later.  

Existing customer environments using outbound marketing, show the new product name but otherwise remained unchanged.  When provisioning new, copying an existing, or upgrading a solutions-only environment to paid, outbound marketing is not installed by default.

If the system detects there is an existing environment with outbound marketing (in the same geo), then Settings > Version page shows Enable outbound link to install outbound. If you do not see the link or have issues enabling outbound, reach out to us directly as explained in the Transition overview page (see links in the resources section later).

When should I transition to Real-time? 

Though we haven’t announced a date for ending outbound support the time to transition is now! Rest assured, we will use our product telemetry data and customer feedback to provide an adequate time window to ensure all customers can plan and complete their transition before support for outbound is ended.  

But why wait? Real-time journeys offers most of the capabilities that outbound marketing has and a lot more that outbound doesn’t (and will not) such as the ability to respond and react in near-real time, high scale of 100M contacts/300M interactions in public preview (even more on the roadmap), and new & exciting capabilities with generative AI/Copilot, etc.   

graphical user interface, application

How to transition? 

You can transition all at once or gradually depending on your business needs, capabilities you use in outbound marketing, and resources availability. 

In a one-shot transition, you will recreate all your journeys, segments, and other assets in real-time journeys and then switch over to them over a short period (a few days).

The other approach is to transition gradually over time. You can create all your new campaigns in real-time journeys and leave your current campaigns running in outbound marketing until they complete. This way you build confidence and train your team gradually over time. We’ve prepared guidance on how to manage consent in hybrid/transition situations. With custom reporting capability (see release plan below), single analytics across both outbound and real-time can be created for the hybrid situation.

We know that most of your effort is usually spent in creating and finalizing emails, so we have built a tool in real-time journeys to let you Import outbound emails, templates, and content blocks so you can preserve and reuse them. You will also have a tool to help you quickly migrate consent records.

We have assembled real-time journeys transition resources to cover transition planning and tools for each major product area.  

Real-time transition capabilities

With either approach, you will want to take a stock of what capabilities of outbound marketing you currently use, how they are supported in real-time journeys, and if there is a need to transfer any data or assets from outbound marketing to real-time journeys. In the transition resources section of our product documentation area, you will find a page for each functional area that has guidance, workarounds, and roadmap for specific capabilities. If you find there are some specific capabilities in outbound marketing that you need but are not yet available in real-time journeys, be assured that we are working to add them as fast as we can. For example, we already have a published release plan for these commonly asked for features: 

We are actively working on prioritizing additional features that have been requested. These are being scheduled to be part of the next release wave: 

  • Consent – Double opt-in 
  • Segmentation – Export, Template, Email delivery status 
  • Scheduling – Send scheduling 
  • Email – Content A/B testing 
  • Journey – Branch on email deliverability status, Templates
  • Tracking – Redirection URL 
  • Analytics – Click/Geo maps, combined analytics across outbound and real-time 
  • Event planning – event portal, session capacity, reoccurring events 
  • Forms – unmapped custom fields, form prefill, update none/multiple entities on submission, leads with parent contact 

Please note that the above is not an exhaustive list. We release new updates every month. We use your feedback to revise our roadmap continuously to ensure you can transition with confidence.  

Conclusion 

A large number of customers are already using and benefiting from ease of use and scale offered by real-time. Over the next few months, we are prioritizing work to ensure transitioning to real-time journeys is easy and quick for every customer. While outbound marketing continues to be available and supported for existing customers, we strongly recommend everyone still using outbound marketing transition to real-time journeys to propel your business into the future of marketing and customer experience.

Resources

Purpose  Resources 
Product licensing and name changes  Microsoft Sales Copilot, Dynamics 365 Customer Insights, and cloud migration reshape the future of business – Microsoft Dynamics 365 Blog  

Dynamics 365 Customer Insights FAQs – Dynamics 365 Customer Insights | Microsoft Learn  

Customer Insights Pricing | Microsoft Dynamics 365 
Provisioning changes for Customer Insights – Journeys (previously Dynamics 365 Marketing)  Transition overview – Dynamics 365 Customer Insights | Microsoft Learn 
 
Real-time journeys transition FAQs – Dynamics 365 Customer Insights | Microsoft Learn 
How to plan transition to real-time  Real-time journeys transition resources – Dynamics 365 Customer Insights | Microsoft Learn 
Differences between real-time and outbound that may impact transition  Review specific pages under Functional areas overview – Dynamics 365 Customer Insights | Microsoft Learn
These pages include differences, suggested workarounds, and roadmap for closing noted differences 
Transitioning Consent management   Consent management and double opt-in transition guidance – Dynamics 365 Customer Insights | Microsoft Learn 

The post Transition to real time journeys – the time is now  appeared first on Microsoft Dynamics 365 Blog.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

“Copilot, help set my New Year’s goals”: Using Viva Goals + Microsoft Copilot to make goals in 2024

“Copilot, help set my New Year’s goals”: Using Viva Goals + Microsoft Copilot to make goals in 2024

by | Jan 9, 2024 | Technology

This article is contributed. See the original author and article here.

The start of a new year is often seen as a time to reflect on the past, plan for the future, and set New Year’s resolutions for ourselves. It is also a key time for business leaders to set goals to help their organizations and teams accomplish more in the new year, whether those goals are a new product release, business growth, or workplace culture improvement.


 


Furthermore, we know that simply writing down your goals is often not enough to achieve them! You also need to communicate your goals with key stakeholders, track your progress, and measure your results. This can be challenging, especially if your organization has multiple goals, competing priorities, or cross-team dependencies.


 


This is where Viva Goals and Microsoft Copilot can help.


 


Viva Goals is Microsoft’s solution for creating, managing, and tracking organizational goals. It is founded on the Objective and Key Result (OKR) framework, yet can be customized to meet other goal-setting strategies. To learn more about changing your goal terms from “Objectives and Key Results” to other frameworks or labels, visit our page on customizing terminology in Viva Goals.


 


With the content generation and summarization capabilities in Copilot in Viva Goals, creating and tracking your goals is becoming even easier.


 


Quickly create your goals with Copilot in Viva Goals


 


One challenge we frequently hear from customers is uncertainty about getting started with writing actionable, outcome-driven goals. Setting appropriate and ambitious goals can be daunting, but using Copilot can make the process easier.


 


From a quick click of the “Copilot” button in the Viva Goals app (available on Microsoft Teams or in your browser), Copilot is ready to help you generate new goals or OKRs:


 


Copilot menu.png


Copilot in Viva Goals can be accessed from the tool bar or the Copilot icon within Viva Goals.


 


Copilot in Viva Goals can help you generate goals in two different ways:


 


Generating new goals based on context you provide (ex: industry, roles, business mission)



Clicking “Help me generate new OKRs” means Copilot will help you in crafting OKRs, using the conversational interface and its repository of sample OKRs.


 




Copilot in Viva Goals will generate goals based on prompts or information you provide in the chat.


 


By asking Copilot to “Write an OKR for this year’s plans to roll out Microsoft Copilot to employees across my organization,” you may get a result like:


 


Objective: Roll out Microsoft Copilot to employees across the organization
Key Result (KR): Train 60% of our employees on the basics of taking the “Copilot for Microsoft 365” training in Viva Learning
KR: Set up all required infrastructure and hardware to support Microsoft Copilot for these employees
KR: Ensure 60% all newly hired employees have used Microsoft Copilot in their first month of onboarding


 


Note that this content is AI-generated and will change based on inputs / sample data.

Using the Copilot interface, you can ask Copilot to regenerate these OKRs, refine them (“be more conservative,” “increase the adoption rate,” etc.), or publish them to your Viva Goals instance.


 


Generating goals from a document you provide (ex: business plan, strategy paper)



Oftentimes, business leaders will already have strategy or business planning documents they have been circulating with their leadership teams. This can be a great place to get started: by uploading these strategy documents to Viva Goals , Copilot can then identify potential goals from the document and format into actionable OKRs. This capability is currently available for local .docx files, and will be expanding file types and file sources in the coming months.


 




Copilot in Viva Goals can use content from your existing documents to suggest outcome-based goals.


 


One thing to remember: using Copilot means that you, as the user, are always in control of what gets saved, published, and shared.


 


Copilot in Microsoft 365 can also be helpful in writing goals


 


For users that are not currently using Viva Goals, or are looking for suggestions on annual goals elsewhere, Copilot in M365 can be a great place to get started. Copilot in Word or in the Microsoft Copilot web experience can be great resources for creating the right goals for you and your organization. You can use prompts like “Write 3 OKRs for building a new (product/service) in the new year” or “Provide some goal suggestions for boosting employee morale” and work with Microsoft Copilot to refine these goals.


 


Furthermore, at Ignite last November (2023), we also announced that Microsoft 365 Copilot will be enhanced with Viva in early 2024. This means users will have access to Viva functionality within the Copilot for Microsoft 365 experience, including a chat experience that works across Viva data and apps to support employees, managers, and leaders. To learn more, check out the announcement from our blog in November, New ways Microsoft Copilot and Viva are transforming the employee experience.


 


Just make sure that after creating your goals, you are communicating these goals to your stakeholders and tracking your progress!


 


Summarizing your goals with Copilot


 


With Copilot, it is even easier to summarize and share your goal progress. Copilot uses context from your goal status updates and check-ins to generate summaries of your progress, making it even easier to share your current status with other teams and leadership.


 




Copilot in Viva Goals will quickly summarize your goals for easy sharing.


 


You can work with Copilot to tailor the update messages to your audience by asking the conversational AI to make the summary content more succinct, detailed, or professional. Looking to quickly share these updates with your teams, audiences or stakeholders? Use functionality within Viva Goals to broadcast your updates to email via Outlook or to post on Viva Engage with just a few clicks.


 




With the Viva Goals integration into Viva Engage, it’s easier than ever to share your team goals with your community.


 


It has never been easier to get started with setting and tracking your goals with Microsoft and Viva Goals, especially with the power of AI. Always make sure to review Copilot’s responses to make sure the suggestions and content it presents are relevant to your organization and your goals.


 


Set your 2024 Goals with Copilot today


 


Copilot in Viva Goals is available to Viva suite customers in public preview since December 2023 and will be Generally Available in early 2024. NOTE: Customers with Viva suite licenses interested in using Copilot in Viva Goals should work with their IT Admins to enable public preview of Copilot for users from their Microsoft Admin Center. To learn more about enabling Copilot in Viva Goals, please visit our Copilot in Viva Goals documentation.


 


Microsoft will also be hosting a webinar session on January 31st, 8am US-PT, for those interested in a live demo and to hear how Copilot in Viva Goals is helping address goal-setting and tracking challenges. More details available at Microsoft Virtual Event “Discovering the Power of Copilot in Viva Goals”.


 


Have feedback about Copilot in Viva Goals? Use the feedback tool in Viva Goals to let us know your thoughts.


 


From the Microsoft Viva Goals team to yours, we wish you success in achieving your goals in the new year!

Easily Manage Privileged Role Assignments in Microsoft Entra ID Using Audit Logs

Easily Manage Privileged Role Assignments in Microsoft Entra ID Using Audit Logs

by | Jan 8, 2024 | Technology

This article is contributed. See the original author and article here.

One of the best practices for securing your organization’s data is to follow the principle of least privilege, which means granting users the minimum level of permissions they need to perform their tasks. Microsoft Entra ID helps you apply this principle by offering a wide range of built-in roles as well as allowing you to create custom roles and assign them to users or groups based on their responsibilities and access needs. You can also use Entra ID to review and revoke any role assignments that are no longer needed or appropriate.


 


It can be easy to lose track of role assignments if admin activities are not carefully audited and monitored. Routine checks of role assignments and generating alerts on new role assignments are one way to track and manage privileged role assignment.


 


Chances are that when a user with privileged roles is approached, they’ll say they need the role. This may be true; however, many times users will unknowingly say they need those permissions to carry out certain tasks when they could be assigned a role with lower permissions. For example, a user will be able to reset user passwords as a Global Administrator, but that does not mean they can’t do that with another role with far less permissions.


 


Defining privileged permissions


 


Privileged permissions in Entra ID can be defined as “permissions that can be used to delegate management of directory resources to other users, modify credentials, authentication or authorization policies, or access restricted data.” Entra ID roles each have a list of permissions defined to them. When an identity is granted the role, the identity also inherits the permissions defined in the role.


 


It’s important to check the permissions of these roles. The permissions defined in all built-in roles can be found here. For example, there are a few permissions that are different for the Privileged Authentication Administrator role than the Authentication Administrator role, giving the former more permissions in Entra ID. The differences between the authentication roles can be viewed here.


 


Another example of having differences between similar roles is for the end user administration roles. The differences and nuances between these roles are outlined in detail here.


 


Auditing activity


 


To decide if a user really needs a role, it’s crucial to monitor their activities and find the role with the least privilege that allows them to carry out their work. You’ll need Entra ID audit logs for this. Entra ID audit logs can either be sent to a Log Analytics Workspace or connected to a Sentinel instance.


 


There are two methods that can be used to get the events of carried out by admin accounts. The first will make use of the IdentityInfo table, which is only available in Sentinel after enabling User and Entity Behavior Analytics (UEBA). If you aren’t using UEBA in Sentinel or if you’re querying a Log Analytics Workspace, then you’ll need to use the second method in the next heading. 


 


Using Microsoft Sentinel


 


To ingest Entra ID audit logs into Microsoft Sentinel, the Microsoft Entra ID data connector must be enabled, and the Audit Logs must be ticked as seen below. 


 


timurengin_0-1704383857782.png


Figure 1 Entra ID data connector in Sentinel with Audit logs enabled 


 


The IdentityInfo table stores user information gathered by UEBA. Therefore, it also includes the Entra ID roles a user has been assigned. This makes it very simple to get a list of accounts that have been assigned privileged roles. 


 


The query below will give a unique list of activities an account has taken, as well as which roles the account has been assigned: 


 

AuditLogs 
| where TimeGenerated > ago(90d) 
| extend ActorName = iif( 
                         isnotempty(tostring(InitiatedBy["user"])),  
                         tostring(InitiatedBy["user"]["userPrincipalName"]), 
                         tostring(InitiatedBy["app"]["displayName"]) 
                     ) 
| extend ActorID = iif( 
                       isnotempty(tostring(InitiatedBy["user"])),  
                       tostring(InitiatedBy["user"]["id"]), 
                       tostring(InitiatedBy["app"]["id"]) 
                   ) 
| where isnotempty(ActorName) 
| join (IdentityInfo 
    | where TimeGenerated > ago(7d) 
    | where strlen(tostring(AssignedRoles)) > 2 
    | summarize arg_max(TimeGenerated, *) by AccountUPN 
    | project AccountObjectId, AssignedRoles) 
    on $left.ActorID == $right.AccountObjectId 
| summarize Operations = make_set(OperationName) by ActorName, ActorID, Identity, tostring(AssignedRoles) 
| extend OperationsCount = array_length(Operations) 
| project ActorName, AssignedRoles, Operations, OperationsCount, ActorID, Identity 
| sort by OperationsCount desc

 


This will give results for all accounts that carried out tasks in Entra ID and may generate too many operations that were not privileged. To filter for specific Entra ID roles, the following query can be run where the roles are defined in a list. Three roles have been added as examples, but this list can and should be expanded to include more roles: 


 

let PrivilegedRoles = dynamic(["Global Administrator", 
                               "Security Administrator", 
                               "Compliance Administrator" 
                              ]); 
AuditLogs 
| where TimeGenerated > ago(90d) 
| extend ActorName = iif( 
                         isnotempty(tostring(InitiatedBy["user"])),  
                         tostring(InitiatedBy["user"]["userPrincipalName"]), 
                         tostring(InitiatedBy["app"]["displayName"]) 
                     ) 
| extend ActorID = iif( 
                       isnotempty(tostring(InitiatedBy["user"])),  
                       tostring(InitiatedBy["user"]["id"]), 
                       tostring(InitiatedBy["app"]["id"]) 
                   ) 
| where isnotempty(ActorName) 
| join (IdentityInfo 
    | where TimeGenerated > ago(7d) 
    | where strlen(tostring(AssignedRoles)) > 2 
    | summarize arg_max(TimeGenerated, *) by AccountUPN 
    | project AccountObjectId, AssignedRoles) 
    on $left.ActorID == $right.AccountObjectId 
| where AssignedRoles has_any (PrivilegedRoles) 
| summarize Operations = make_set(OperationName) by ActorName, ActorID, Identity, tostring(AssignedRoles) 
| extend OperationsCount = array_length(Operations) 
| project ActorName, AssignedRoles, Operations, OperationsCount, ActorID, Identity 
| sort by OperationsCount desc

 


Once the query is run, the results will give insights into the activities performed in your Entra ID tenant and what roles those accounts have. In the example below, the top two results don’t pose any problems. However, the third row contains a user that has the Global Administrator role and has created a service principal. The permissions needed to create a service principal can be found in roles less privileged than the Global Administrator role. Therefore, this user can be given a less privileged role. To find out which role can be granted, check this list, which contains the least privileged role required to carry out specific tasks in Entra ID. 


 


timurengin_4-1704384129451.png


Figure 2 Actions taken by users in Entra ID


 


Using Log Analytics Workspace


 


timurengin_3-1704384118890.png


Figure 3 Configuring the forwarding of Entra ID Audit logs to a Log Analytics Workspace


 


To ingest Entra ID audit logs into a Log Analytics Workspace follow these steps. 


 


Because there is no table that contains the roles an identity has been granted, you’ll need to add the list of users to the query and filter them. There are multiple ways to get a list of users who have been assigned a specific Entra ID role. A quick way to do this is to go to Entra ID and then select Roles and administrators. From there, select the role and export the identities that have been assigned to it. It’s important to have the User Principal Names (UPNs) of the privileged users. You’ll need to add these UPNs, along with the roles the user has, to the query. Some examples have been given in the query itself. If the user has more than one role, then all roles must be added to the query.


 

datatable(UserPrincipalName:string, Roles:dynamic) [ 
    "admin@contoso.com", dynamic(["Global Administrator"]), 
    "admin2@contoso.com", dynamic(["Global Administrator", "Security Administrator"]), 
    "admin3@contoso.com", dynamic(["Compliance Administrator"]) 
] 
| join (AuditLogs 
        | where TimeGenerated > ago(90d) 
        | extend ActorName = iif( 
                                isnotempty(tostring(InitiatedBy["user"])),  
                                tostring(InitiatedBy["user"]["userPrincipalName"]), 
                                tostring(InitiatedBy["app"]["displayName"]) 
                            ) 
        | extend ActorID = iif( 
                            isnotempty(tostring(InitiatedBy["user"])),  
                            tostring(InitiatedBy["user"]["id"]), 
                            tostring(InitiatedBy["app"]["id"]) 
                        ) 
        | where isnotempty(ActorName) ) on $left.UserPrincipalName == $right.ActorName 
| summarize Operations = make_set(OperationName) by ActorName, ActorID, tostring(Roles) 
| extend OperationsCount = array_length(Operations) 
| project ActorName, Operations, OperationsCount, Roles, ActorID 
| sort by OperationsCount desc

 


Once you run the query, the results will give insights into the activities performed in your Entra ID tenant by the users you have filtered for. In the example below, the top two results can cause problems. Both have the Global Administrator role, but their operations don’t necessitate to have that role. The permissions needed for these operations can be found in roles less privileged than the Global Administrator role. Therefore, these users can be given a less privileged role. To find out which role can be granted, check this list, which contains the least privileged role required to carry out specific tasks in Entra ID.


 


timurengin_5-1704384230795.png


Figure 4 Actions taken by users in Entra ID


 


If this user still requires the Global Administrator role then the Security Administrator role will become redundant as the Global Administrator contains more permissions than the Security Administrator role.


 


Conclusion


 


Keeping accounts with privileges that are not required is keeping your attack surface greater than it needs to be. By ingesting Entra ID Audit logs, you can query and identify users who have unnecessary and over-privileged roles. You can then find a suitable alternative role for them. 


 


Timur Engin


LinkedIn  Twitter  


  


 


Learn more about Microsoft Entra: