Microsoft 365 Copilot Chat and Microsoft 365 Copilot Explained

Reading Time: 14 minutes

Image


In this post, we’ll explore the key differences between Microsoft 365 Copilot and Microsoft 365 Copilot Chat. At first glance, the only distinction might seem to be the word “Chat”, but that small difference represents two distinct user experiences and capabilities. So grab a drink, buckle up, and let’s dive into what sets them apart.


Setting the stage
Before we dive in, I want to set the stage. Microsoft 365 Copilot Chat isn’t the premium version, but it offers a great way for organisations to explore AI with minimal cost. As confidence and value grow, organisations may gradually scale up to Microsoft 365 Copilot, the fully integrated premium experience at $30/user/month which includes Copilot Chat and additional capabilities as shown in the image below. We’ll explore the capabilities later in this post.

Image


In this post, I’ll also be referring to three important terms including, web-grounded, work-grounded and Microsoft Graph.

Web-grounded means Copilot only uses data from the public web data (via Bing) and does not access your work data.

Work-grounded means Copilot can access your work data, such as files, emails, meetings, and more, through the Microsoft Graph, based on what you as a user are authorised to view.

Microsoft Graph is the API (Application Programming Interface) that connects data across Microsoft 365 services, like Outlook, Teams, SharePoint, and OneDrive, allowing Copilot to securely access and reason over your work content based on your existing permissions. Copilot can only access the data which you already have permissions to access.



Microsoft 365 Copilot Chat

Microsoft made Microsoft 365 Copilot Chat available to a broader range of organisations already using Microsoft 365 services, even if they haven’t purchased the full Microsoft 365 Copilot licence. Previously, Copilot Chat was only accessible to businesses that paid for the additional Copilot licence.

As of 2025, Copilot Chat is now included at no extra cost for organisations with eligible Microsoft 365 licenses, such as Microsoft 365 E3, E5, Business Standard, Business Premium, and others. This means that if your organisation is already licensed for apps like Word, Teams, Outlook, Excel, PowerPoint, and SharePoint, you likely have access to Copilot Chat.

Copilot Chat is not free for all

It’s important to clarify a common misconception: Copilot Chat is NOT free for everyone. It’s included only for users with qualifying Microsoft 365 or Office 365 licenses. I’ll go into more detail on the specific license types later in this post.

Why this blog post?

So, why this blog post? Because while Microsoft 365 Copilot and Microsoft 365 Copilot Chat may sound similar, they serve different purposes, and understanding those differences is key to using them effectively. That’s exactly what I’ll be focusing on in this post.

Note:
This post isn’t about explaining what Microsoft 365 Copilot is or how it works behind the scenes. If you’re looking to understand the fundamentals of Microsoft 365 Copilot, you can start with my earlier blog post series, beginning with: Part 1 – Save time and be more productive at work with Microsoft 365 Copilot – Cloud Build.

January 2025: Copilot Chat Becomes More Accessible

In January 2025, Microsoft announced the broader availability of Microsoft 365 Copilot Chat, introducing it as a new offering for commercial customers. This update included support for pay as you go agents, allowing organisations to access advanced AI capabilities without committing to a full Copilot license. More on this later.

Importantly, while Microsoft 365 Copilot Chat is now included as part of a range of existing Microsoft 365 licenses, as mentioned above, it is not free for everyone. Only users with eligible Microsoft 365 commercial licenses can access it. Some advanced features, such as agents that access tenant data, will incur additional costs under a metered billing model. More on this later.

A Secure, Scalable AI Experience

Microsoft 365 Copilot Chat delivers a secure AI chat experience powered by GPT-4o, designed to be accessible across organisations without requiring a separate Copilot license. This is a major shift from the previous model as it makes it easier for businesses to explore AI capabilities without upfront investment in premium Copilot subscriptions.

The good news is that organisations can now gradually scale their adoption, starting with Microsoft 365 Copilot Chat and transitioning to the full Microsoft 365 Copilot experience as their needs evolve.

In short, Copilot Chat is included at no additional cost for users with eligible Microsoft 365 licenses. However, it’s worth repeating, this doesn’t mean it’s free for everyone. It’s only available to organisations already licensed for Microsoft 365 services.

This inclusion is a great opportunity for businesses that want to explore Copilot’s capabilities but aren’t yet ready to commit to the full premium version. It allows organisations to experiment, evaluate, and build confidence before scaling up to the premium version, known as Microsoft 365 Copilot.

Who has access to Microsoft 365 Copilot Chat?

Copilot Chat is available at no additional cost for Microsoft Entra account users with one of the following eligible licenses. The screen shot below was taken from the Microsoft website and lists which 365 licenses include Microsoft 365 Copilot Chat as of January 2025.

Image

Source: Microsoft 365 Copilot Chat eligibility


What can Microsoft 365 Copilot Chat be used for?


Microsoft 365 Copilot Chat empowers organisations to adopt AI in the workplace without the upfront cost of licenses. It provides a secure, web-grounded AI chat experience powered by GPT-4o, enabling users to access real-time information from the internet and interact with organisational data, with the confidence that enterprise-grade security, privacy, and compliance are built in by design.

You can use Microsoft Copilot Chat to:

Upload Files
Users can upload files directly into the chat and ask Copilot to assist with content, analysis, or formatting, making it a powerful productivity tool. You can upload your organisation files, such as a word document and ask Copilot to do things like summarise key points, analyse data in an Excel spreadsheet, and suggest improvements to a PowerPoint presentation. 

Copilot Pages
Copilot Pages is a collaborative workspace where you can co-create content with both AI and your colleagues in real time. You can bring together content from Copilot, your files, and even the web, all in one place. For example, you might ask Copilot to draft a plan for a team event. That content can be added directly to a Copilot Page with the click of your mouse, where your team can edit, refine, and build on it together in real time. No more emailing documents back and forth or managing multiple versions. Everyone works from the same page.

Image

Note: Copilot Pages is available in both Microsoft 365 Copilot and Copilot Chat at no additional cost but requires a SharePoint license, as it powers the underlying collaboration and storage features.

Security
Microsoft 365 Copilot Chat includes robust enterprise grade security, privacy, and compliance controls. It’s built on Microsoft’s trusted cloud infrastructure and adheres to the same security and compliance commitments as the rest of the Microsoft 365 suite.

Agents
Agents are integrated into the chat experience, but not all agents are available for free. Microsoft 365 Copilot Chat has agents that can be used at no additional cost, and agents that are billed based on metered consumption. Agents that are grounded in instructions and public websites are available at no additional cost. If you wish to configure an agent which is grounded in your enterprise data or third party, this is a paid for service based on you setting up an agent as part of a message pack or pay as you go basis. For example, you may wish to create an agent which links to your CRM system which can then be utlised to retrieve information without you having to login to your CRM system. AI agents were previously available in the full Microsoft 365 Copilot experience only, requiring a $30 per user per month license.

I have created a comparison of agent availability in the table below.

Agent TypeAvailable in Copilot ChatAvailable in Microsoft 365 Copilot ($30 license)
Declarative Agents
Grounded in public data or instructions

✅ Included
(Grounded in web data)

✅ Included
(Grounded in web data)
Metered Agents
Agents that access enterprise data like SharePoint or CRM
✅ Available
💵 Paid (Metered)
✅ Available
💵 Included in license
Autonomous Agents
AI Agents that perform multi step tasks automatically without user prompts.
✅ Available
💵 Paid (Metered)
✅ Available
💵 Paid (Metered)



Managing Costs with Metered Agents

A common concern with AI adoption and Microsoft 365 Copilot Chat is: how do we prevent pay-as-you-go costs from spiraling out of control? If you’re wanting to try out agents with Microsoft 365 Copilot Chat but nervous about the costs, Microsoft offers two billing options to help organisations manage usage and stay within budget:

  1. Pay-as-you-go: An open billing model where you’re charged $0.01 per message.
  2. Message/Consumption Packs: A fixed monthly plan offering 25,000 messages for $200 per tenant.

These options are configured through the Copilot Studio portal, where IT admins can monitor usage and set limits. Let’s explore further.

IT Controls and Agent Access

To maintain control and security:

  • Declarative agents (grounded in public data or instructions) are enabled by default and can be used/created for free by your users in Copilot Chat. There are also a number of built in agents grounded in the web which can be utilised out of the box.

  • Metered agents (e.g., those accessing SharePoint or Graph Connector content) are disabled by default and must be explicitly enabled by IT admins via Copilot Studio.

  • In Microsoft 365 Copilot ($30 per user license), agent capabilities are enabled by default and included as part of the package (apart from autonomous agents), but admins can still control which agents are available to users.

    More info on pricing can be located at the following link, Copilot Studio licensing.

Admins can:

  • Enable or disable metered billing for specific users or groups
  • Decide who can create agents
  • Restrict access to pre-approved agents in the gallery

Reporting:

  • The Microsoft 365 Copilot Chat usage dashboard provides insights into active usage of Microsoft 365 Copilot Chat. The report includes total active users, average daily active users, and active users per app. Usage insights can be viewed as totals and trends for the past 7, 30, 90, or 180-day periods. The report also shows the last activity date per user, anonymised by default. To view all reports, check out Microsoft 365 Reports in the admin center overview.

    Note
    At the time of writing, the report is currently limited to users without a Microsoft 365 Copilot license that interact with Copilot Chat in Teams, Outlook, Copilot.cloud.microsoft, Microsoft 365 Copilot (app), and Microsoft Edge.
    Source: Microsoft 365 Copilot Chat usage

How do I access Microsoft 365 Copilot Chat and Microsoft 365 Copilot?

In the table below, I have included some details about the personal free version in column three, as this version causes confusion. The personal version is available to all. I have provided some information on the personal version towards the end of this post but the main focus is the two business versions of Copilot in columns one and two.

Microsoft 365 Copilot ChatMicrosoft 365 CopilotMicrosoft Copilot (Personal)
Accessm365copilot.com
copilot.cloud.microsoft.com

or

Microsoft 365 Copilot App via mobile or desktop

or

Outlook
Click the Copilot icon from the left pane in Outlook desktop or Outlook Web app.

or

Microsoft Teams
Click the Copilot icon from the left pane inside the Microsoft Teams desktop or web app.
m365copilot.com
copilot.cloud.microsoft.com

or

Microsoft 365 Copilot App via mobile or desktop

or

Outlook
Click the Copilot icon from the left pane in Outlook desktop or Outlook Web app.

or

Microsoft Teams
Click the Copilot icon from the left pane inside the Microsoft Teams desktop or web app.



copilot.microsoft.com
bing.com/chat

or

Copilot app via mobile or desktop




















For organisations
Eligible for customers with existing Microsoft 365 licenses





Eligible for customers with existing Microsoft 365 licenses

Additional Copilot licenses required at $30 per user, per month, if accessing the premium features.

Free and accessible to all using a personal email account, such as @hotmail, @live and so on.

Not recommended for sensitive business data.


Comparison between Microsoft 365 Copilot Chat and Microsoft 365 Copilot

The below table provides a deeper comparison between Microsoft 365 Copilot Chat and Microsoft 365 Copilot.

Microsoft 365 Copilot ChatMicrosoft 365 Copilot (Licensed version)
Requires a work or school account
Responses are web-grounded (Powered by GPT-4o)
Responses are work-grounded
Includes Copilot Pages
Upload files to prompts✅ limited
Create images and data visualisations✅ limited
*Code Interpreter✅ limited
Copilot integrated in 365 Apps, such as Word, Excel, Outlook, Teams, PowerPoint…
IT Management Controls including who can access/create agents.
Usage reports✅limited
**SharePoint Advanced Management (More info below)
***Discover and pin agents for users. More info below.
Use agents grounded in web data
Use agents grounded in work data💵 Paid (Metered)
Autonomous agents💵 Paid (Metered)💵 Paid (Metered)
****Copilot actions (More info below)In preview
*****Pre-built M365 agents (Interpreter, Facilitator, Project Manager, Employee self-service)In preview



*Code Interpreter in Microsoft 365 Copilot uses the Python programming language to help users perform advanced data analysis, including coding, visualization, and mathematical calculations.

**SharePoint Advanced Management (SAM)
SharePoint Advanced Management is a Microsoft 365 add-on that helps organisations prepare for Copilot by improving content governance, reducing oversharing, managing content sprawl, and ensuring Copilot accesses only accurate, well-managed data. Beginning in early 2025, it is included with the paid Microsoft 365 Copilot license. More info at: SharePoint Advanced Management (SAM)

***Microsoft 365 Copilot Chat pinned
To ensure people across your organisation have easy access to Copilot Chat and can benefit from its security and experience updates, Microsoft recommend that your users have Microsoft 365 Copilot Chat pinned to their navigation bar. Starting on May 1, 2025, and rolling out over time, Microsoft 365 Copilot Chat is pinned by default in the navigation bar of the Microsoft 365 Copilot app, Teams, and Outlook for most users who are eligible for Copilot Chat across the web, mobile, and desktop. Source: Manage Microsoft 365 Copilot Chat.

****Copilot actions:
The new Copilot Actions feature, introduces intelligent agents that can perform tasks across apps and systems on your behalf. These agents, part of the broader Microsoft 365 Copilot update, can now interact with websites and desktop applications, clicking buttons, navigating menus, and entering data, just like a human would.

*****Pre-built M365 agents (Interpreter, Facilitator, Project Manager, Employee self-service):

These are specialised AI assistants designed to handle specific roles and tasks within organizations. Interpreter helps translate and explain complex data or documents. Facilitator supports meeting coordination, follow-ups, and collaboration. Project Manager assists with tracking tasks, deadlines, and project updates. Employee Self-Service enables staff to get quick answers or complete HR/IT tasks like onboarding or support requests.


Demo: Differences in Microsoft 365 Copilot Chat and Microsoft 365 Copilot interfaces

In this section, I walk through a demo of both Microsoft 365 Copilot Chat and Microsoft 365 Copilot.

If you sign in with a user who has been assigned a Microsoft 365 license, but does not have a Copilot license, you’ll be redirected to a web interface similar to the one below.

Image


Notice the green shield icon in the image above? Your organisational data is protected. You can upload company files and interact with Copilot, knowing that enterprise-grade security and compliance controls are in place.

Work and Web tabs are missing
In the image below, you’ll also notice that the “Work” and “Web” tabs are missing. These are only available in the licensed Copilot experience.

The Web tab allows Copilot to access public internet data via Bing, enabling real-time, web-grounded responses.

The Work tab enables Copilot to access organisational data through Microsoft Graph, such as files, emails, and meetings, based on the user’s existing permissions.

Even without these tabs, both Microsoft 365 Copilot Chat and Microsoft 365 Copilot support file uploads. Users can manually upload documents and ask Copilot to summarise, analyse, or even generate content based on the file.

Image


Another screenshot of the Microsoft 365 Copilot Chat interface below:

Image


The premium version, which costs $30 per user per month, grants you access to both Copilot Chat and a suite of additional premium features, as shown in the image below and as I detailed in the comparison table earlier.

Image


  • If you sign in with an account that has a Copilot license assigned, the paid version at $30 per user, per month, you’ll see a slightly different interface. Notably, the “Work” and “Web” tabs are visible, offering access to organisational data and public web content respectively.


Furthermore, Microsoft 365 Copilot (licensed at $30 per user, per month) allows employees to interact with their work data directly through Copilot. For example, you could ask Copilot to:

  • Find an email from a colleague in your mailbox
  • Check when you last had a meeting with a colleague
  • Summarise outstanding tasks assigned by your manager
  • Check your Microsoft Teams messages and highlight any unresolved actions
  • and more

These capabilities are possible because the premium version is work-grounded, meaning it can access organisational data via Microsoft Graph.

Note: Microsoft Graph is the API that connects data across Microsoft 365 services, like Outlook, Teams, SharePoint, and OneDrive, allowing Copilot to securely access and reason over your work content based on your existing permissions. Copilot can only access the data which you already have permissions to access.

The work and web tabs are available for licensed users as shown in the image below.

Image


Access Copilot Chat from Teams and Outlook

Copilot Chat is also accessible from the Microsoft Teams and Outlooks apps. Launch Microsoft Teams desktop or the web app and click the Copilot icon which appears in the left pane.

Image


To access Copilot Chat via Microsoft Outlook, launch Outlook desktop or via the web and click the Copilot icon which appears in the left pane.

Image


Microsoft 365 Copilot is integrated into 365 Apps

Both versions of Copilot allow you to upload documents into the chat experience. However, the licensed version, known as Microsoft 365 Copilot, is fully integrated into Microsoft 365 apps such as Word, Excel, PowerPoint, Outlook, Teams, and more.

A Copilot icon appears within these apps, enabling you to work with Copilot directly inside the Microsoft 365 environment. For example:

  • In Outlook, you can ask Copilot to draft a new email or reply to an existing one.
  • In Excel, you can ask Copilot to analyse data, add columns or rows, apply conditional formatting, insert filters, and perform deep analysis.
  • In PowerPoint, you can ask Copilot to create a new slide deck—referencing a Word document, such as a company income statement.
  • In Teams, you can ask Copilot to summarise a long conversation or analyse a recorded meeting you missed.
  • and more

This integrated experience is exclusive to users with a Microsoft 365 Copilot license, priced at $30 per user, per month. If you don’t have a Copilot license, these in-app Copilot icons will not be visible.

Copilot in Excel
Users assigned a Copilot license will find the Copilot icon integrated in their 365 applications. Example of Microsoft Excel below.

Image

Which AI Solution is right for you?


If your organisation already uses one of the eligible Microsoft 365 licences listed earlier, but hasn’t purchased any Copilot licenses, Microsoft 365 Copilot Chat is already included at no additional cost. This means your employees can start using it right away.

Because Copilot Chat includes built-in enterprise-grade data protection, it helps reduce the risk of employees turning to third-party AI tools that may not offer the same level of security. You don’t want staff copying and pasting sensitive company data into external AI platforms without knowing how that data is handled.

With Microsoft 365 Copilot Chat and Microsoft 365 Copilot, your data is protected under Microsoft’s Enterprise Data Protection (EDP) commitments. Your prompts, responses, and uploaded files are not used to train the underlying large language models (LLMs).

For comparison, here’s OpenAI’s article on how your data may be used when using their services such as ChatGPT.

Image

Source: How your data is used to improve model performance | OpenAI Help Center


and the below is from the Microsoft website

Image

Source: Enterprise data protection in Microsoft 365 Copilot and Microsoft 365 Copilot Chat | Microsoft Learn

Another benefit of Microsoft 365 Copilot Chat, especially for organisations that haven’t purchased Copilot licenses, is the ability to work with AI agents. If the agent is web-grounded, it can be used at no additional cost. For more advanced scenarios, such as agents grounded in enterprise data, you can choose between a pay-as-you-go model or a fixed monthly message pack which can be controlled by IT. This allows businesses to trial agents and evaluate whether they can support employee productivity and long-term growth, without committing to the full premium Copilot experience immediately. You may wish to upgrade to the premium version at a later date.

What’s Microsoft Copilot without the 365 branding?
I briefly mentioned Microsoft Copilot in a comparison table above. You may have noticed references to Microsoft Copilot, without the “365” branding, and wondered how it differs from Microsoft 365 Copilot and Microsoft 365 Copilot chat.

Microsoft Copilot is the free, personal version of Copilot available to anyone with a personal Microsoft account (e.g. @hotmail.com, @outlook.com, @live.com). You can access it by visiting https://copilot.microsoft.com, clicking Sign in, and logging in with your personal email address. You can also use the personal version without logging in, but won’t be able to use the image generation and voice features without logging in first. Yes, Copilot talks to you. Give it a try.

Microsoft Copilot is a consumer version and is available for free. It can help you with personal tasks and uses information from the internet. You can use it for non sensitive work tasks, but be cautious. Never add sensitive or proprietary work information in a prompt.

Check out my blog post on the free version of Copilot: Part 4 – Free Version of Microsoft Copilot – Cloud Build.

Note: If you have purchased Microsoft 365 apps for personal or family use, there’s also the option to purchase Copilot Pro, which integrates Copilot into your 365 applications at home. While the focus of this post is on Microsoft 365 Copilot Chat and Microsoft 365 Copilot for business use, it’s worth knowing that personal Copilot options are available too. A comparison of the free and pro versions is available at the following link, Compare Copilot Free and Pro.


Summary

Microsoft 365 Copilot Chat and Microsoft 365 Copilot are the two main ways your organisation can access Copilot capabilities.

Microsoft 365 Copilot Chat

  • Included at no additional cost for users with eligible Microsoft 365 licenses. It’s not free for all.
  • Web-grounded by default: it uses the latest AI models and public web data to answer questions, generate content, and provide insights.
  • Does not access your work data, unless you upload files manually.
  • Enterprise-grade data protection: your data is not used to train AI models.
  • Agents grounded in the web can be created/used for free
  • If you wish to create an agent to interact with a third party app, SharePoint and so on, this is chargeable.
  • Ideal for organisations looking to explore AI securely without purchasing Copilot licenses straight away.

Microsoft 365 Copilot

  • Includes everything in Copilot Chat, plus more.
  • Grounded in both web and work data, can access your emails, meetings, documents, chats, and more via Microsoft Graph.
  • Integrated into Microsoft 365 apps like Word, Excel, PowerPoint, Outlook, and Teams.
  • Agents included apart from autonomous agents
  • Requires a paid license ($30 per user/month), assigned by your Microsoft 365 admin.
  • SharePoint Advanced Management (SAM) included

I hope you found this post of use. All feedback is welcome, so please feel free to submit a comment below. Thank you

Obtain Free Let’s Encrypt Certificates and Store Them in Azure Key Vault: A Step by Step Guide

Reading Time: 12 minutes


When providing training, I demonstrate how to obtain free automated Let’s Encrypt certificates and store them in Azure Key Vault using an ACME Bot. I’ve been asked a few times to put together a step-by-step guide, so here it is.

IMPORTANT: I am implementing this solution in a demo environment with a domain name I have registered, which is not used in production. Please be careful when implementing any new solution in production. Ensure you thoroughly research and understand what you’re deploying first.

In this post I will go through a step by step guide on how to deploy a low cost solution in Azure to obtain free TLS certs from Let’s Encrypt and store them in Azure Key Vault. Furthermore, we can automatically renew these certificates and request for additional TLS certificates as needed.

Free Managed Certificates provided by the Azure platform
Depending on which services you use in Azure, there are free certificates available for use, for example, with Azure App Services and Azure Front Door. These certs are free, managed by the Azure platform and automatically renewed. However, free managed certs are limited to some services in Azure, so can not be used for all solutions.

What is Let’s Encrypt?
Let’s Encrypt is a Certificate Authority that provides free TLS certificates, making it easy for websites to enable HTTPS encryption and create a more secure Internet for everyone. Let’s Encrypt is a project of the nonprofit Internet Security Research Group.

What is ACME?
ACME stands for Automatic Certificate Management Environment. It’s a protocol that helps automate the process of obtaining and renewing SSL/TLS certificates. This means you don’t have to manually request or update certificates; ACME does it for you, making it easier to keep your website secure. There are several ACME providers, including Let’s Encrypt, which is the provider I will be using. Other providers include Buypass Go SSL, ZeroSSL, Google Trust Services, SSL.com and more.

Let’s Encrypt is one of the well known providers, offering free certificates and supports the ACME protocol for automation. To request free TLS certs, I will deploy a client to interact with the provider Let’s Encrypt. I’ll cover further details on the client later in this post.

If you wish to follow along with this demo, I will be deploying/using the below services. If you don’t have access to an Azure subscription, not to worry, I will provide a step by step guide including screenshots whilst I go through the deployment.

  • Azure Subscription: this solution will cost a small amount so an Azure Subscription is required for billing.
  • Domain name: I’ll be using a domain I have previously registered, cloudcrazy.co.uk
  • Client: Key Vault ACME bot. I’ll be using an Azure Function to run the Key Vault ACME bot client. The ACME bot will connect to the ACME provider (Let’s Encrypt) to allow me to request FREE TLS certs. I won’t be building the ACME bot client from scratch, it already exists on GitHub at the following link, GitHub Acmebot.

  • Azure App Service Plan: an Azure App Service Plan will be deployed for the Client (Azure Function App) to run in consumption mode, so it will only cost a small amount when I trigger the function app requesting for new certs, or when the app checks for certificate expiry/renewals.

  • Storage account: A storage account will be required for the client (Azure Function App) but won’t take up to much storage.

  • Azure Key Vault: the ACME bot will also connect to Key Vault as that’s where I will be storing my TLS certs.

  • Azure DNS: The DNS zone name I will be using and requesting certificates for is cloudcrazy.co.uk. You will need your own domain name. I’ll be creating an Azure DNS zone and configuring name server records for cloudcrazy.co.uk to redirect to Azure DNS. Other domain providers are also supported, such as Amazon Route 53, Cloudflare, GoDaddy, Google Cloud DNS and more. I’ll be deploying Azure DNS. With some additional effort you can also use your own custom DNS solution.

Let’s get started

  1. Visit the ACME Bot GitHub page at the following link, GitHub ACMEbot

  2. Feel free to browse the page to understand the ACME Bot further. The page shows the following at the time of writing this post.
Image

Image

Image



3. Scrolling down to the bottom of the page, I see the option to deploy this solution into my Azure environment using an ARM (Azure Resource Manager) template. I’ll be deploying into Azure (Public). Click the Deploy to Azure button. The repository also includes the option to deploy via Terraform modules and Azure Bicep if that’s what you’re already using as part of your preferred IaC (Infrastructure as code) solution.

Image


4. You’ll be prompted to login to the Azure portal

Image


5. After I log in, the provided ARM template is automatically launched from the ACME GitHub repository into my Azure environment with some default settings enabled. I will need to complete the remaining fields before I deploy.

Image


6. After completing the additional fields, this is what my deployment will look like. Please feel free to change as per your requirements.

Resource group name: rg-KeyVaultBot
Region: UK South
Mail Address: Email address for ACME account
ACME Endpoint: I am using provider Let’s Encrypt
Create With Key Vault: true (A new Key Vault will be created. If you have an existing Key Vault, click false and enter your key vault url in the Key Vault Base Url field.

Note
The new Azure Key Vault deployment configures RBAC for permissions and not access policies.

Image



7. When ready, click Review + Create, and then create after reading the terms.

Image

Image


8. The deployment should take about 5 minutes

Image


8. Click the button Go to resource group after the deployment has completed to check what has been deployed as part of this deployment.

Image

9. Click on the Function App from inside the resource group

Image


10. Explore the function app for now. Don’t make any changes.

11. If you click on Identity from the left pane, you’ll find that the deployment configured a system managed Identity for the function app. This gives the function app an identity which has been granted permissions to access the Azure Key Vault.

Image


12. Let’s open the client app via the function app. Copy the url of your function app from the overview page, and open it in a web browser.

Image


13. I get an error, not a very useful error but this is due to an authentication failure. I need to enable authentication for the app to allow me to login and access the client. We don’t want everyone on the Internet accessing this url anonymously and issuing certs on my behalf. In the next step, I will configure Entra ID authentication.

Image


14. I’ll be using authentication via Entra ID which will allow me to use my Entra ID account. There are also other authentication methods available. Click Authentication (Under Settings) from the left pane in your function app. It is also possible to configure authentication directly from Entra ID. I’ll be using the authentication option inside the function app for this demo.

Image


15. Click the button Add identity provider

Image

16. Click Microsoft from the list of Identity providers

Image

17. This wizard will create me an Entra ID app registration which will allow me to login to the function app using my Entra ID credentials. I am going to accept the default options here.

Image

Image

18. Click Add and wait for the deployment to complete

Image


19. Let’s try the client (function app) url again

Success, Entra ID is prompting for credentials

Image


20. Login with your Entra ID credentials

21. Permissions are needed for the application to access some information. Expand to check what permissions the app is needing.

Note: Carefully review what permissions are being granted before accepting for any app.

Image
Image


21. I click Accept button to grant the needed permissions

Image


22. I successfully log in to the client (function app), but there is a further error related to DNS.

Orchestrator function ‘GetCertificates_Orchestrator’ failed: The activity function ‘GetAllCertificates’ failed: “DNS Provider is not configured. Please check the documentation and configure it.”. See the function execution logs for additional details.

Image


The function app does not have access to my domain cloudcrazy.co.uk, therefore, it can not connect. I will need to resolve this before I can request for new TLS certificates from Let’s Encrypt.

23. Back in the Azure function app, under Settings, click Environment variables.

Image


24. Click the Add button

Image



25. Type the below:

Name: Acmebot:AzureDns:SubscriptionId
Value: Enter your subscription ID

Image



26. Click Apply, and the click Apply again to save changes.

27. Click Confirm. Your app may restart.

Image
Image



Azure DNS
I’ll be creating a new Azure DNS zone in my demo environment.

28. In the Azure Portal, search for and click DNS Zones

Image


29. Click create, select a resource group and input your domain.

Click Review and Create.

Image


30. Next, I need to grant permissions for the Azure Function App (the client) to connect to my DNS zone. This will allow the app to request and perform verification when requesting TLS certs from Let’s Encrypt.

Image


31. Click Add and then Add role assignment

Image


32. Select DNS Zone Contributor and click Next

Image


33. Select Managed identity and click + Select members

Image


34. Select the function app from the list and click Select. This allows the function app access to my Azure DNS zone.

Image


35. Click the button Review + Assign

36. Finally, I’ll be configuring the name servers for my domain cloudcrazy.co.uk so they point to my Azure DNS zone. Access the Azure DNS zone again and access the overview page.

I add the DNS name servers provided on the overview page to my new domain cloudcrazy.co.uk

Note: please don’t reconfigure name servers for a domain in production without prior planning. This could lead to downtime of your critical services. The domain I am using is currently not used for any production services.

Image



37. I login to my domain registrar portal and add the 4 provided name servers from the Azure portal. This process delegates access, allowing me to control my public DNS for cloudcrazy.co.uk from within the Azure portal.

IMPORTANT: I am implementing this solution in a demo environment with a domain name I have registered, which is not used in production. Please be careful when implementing any new solution in production. Ensure you thoroughly research and understand what you’re deploying first.

I add the name servers to my domain by accessing the domain registrar portal.

Image


38. That should be it. I’ll access my Azure Function app url again. No more DNS error.

39. Click Add

Image


40. Click the DNS Zone drop down list. Great, the function app is able to view the domain from Azure DNS. Remember, I allowed permissions for the app to access my Azure DNS zone in step 30 above.

Image

41. Now, it’s time to request for a cert from Let’s Encrypt. This is where we test if the client (Azure Function App) can connect to Let’s Encrypt and issue me a certificate which should automatically be stored in Azure Key Vault.

I request for a certificate for demo.cloudcrazy.co.uk

Image

42. Click the Add button which appears next to the DNS Names field, and then click Add towards the bottom. See image below.

Image

Advanced options allows you to modify the key size and add a custom certificate name if needed. I’ll be leaving the defaults.

Image


43. Done. If successful the certificate details should appear as shown in the image below.

Image


What happened in the background
The function app connected to Let’s Encrypt requesting for a TLS cert for demo.cloudcrazy.co.uk. Let’s Encrypt responds with instructions on what needs to be done in Azure DNS to verify that I own the domain. The Azure Function App adds a temporary dns record provided by Let’s Encrypt into my Azure DNS zone to complete the verification process. The Function App then returns to Let’s Encrypt to confirm the record has been added. Let’s Encrypt completes the verification check to confirm I own the domain cloudcrazy.co.uk, and issues the free TLS cert. The temporary record is then automatically deleted by the Azure Function App. This process took about 1 minute to complete and was completed automatically after I clicked the Add button in step 42.

Image

The image above displays Unmanaged certificates and Another CA certificates.

Unmanaged Certificates: If you had certificates in your Azure Key Vault which were not created by the ACME bot, those certificates would appear under unmanaged certificates.

Another CA certificates: certificates issued by another CA (Certificate Authority) would appear here.

44. Click the details button and explore the options available.

Image
Image


As seen in the image above, I can manage the certificate from the client dashboard, including manually renewing or revoking the certificate. Also, because the function app has an API, I could automate the process without having to access the dashboard directly.

Where is the certificate stored?

45. Finally, let’s check if the certificate is visible in Azure Key Vault.

  • I’ll access my Azure Key Vault, which was created as part of the deployment earlier.
  • Inside Key Vault, click certificates from the left pane
Image


46. You may receive the error below:

Error: The operation is not allowed by RBAC. If role assignments were recently changed, please wait several minutes for role assignments to become effective. 

Image


This permissions error indicates that my user accounts does not have the permissions to access certificates in Azure Key Vault. Let’s grant permissions by accessing Access control (IAM).

Image


For the purpose of this demo, I am granting my account the role, Key Vault Administrator.
Note: there are other lower privileged Key Vault roles available.

Image


47. Now that I have assigned my account permissions, let’s try that again.

The certificate is now visible to me in Azure Key Vault

Image


48. Click the certificate and you’ll see one version. Go back to your Azure function app and click the button to renew the certificate, you’ll find another version of the certificate will automatically appear in your Azure Key Vault. Any apps connecting to your certs will automatically start to use the new version of the certificate upon renewal.

Image
Image

And the Azure Key Vault now shows the new version of the certificate.

Image


49. Go ahead and request for a new certificate from within the Azure Function App dashboard. This time, I’ll input portal.cloudcrazy.co.uk and I’ll try a wild card of *.cloudcrazy.co.uk

Image


Image
Image
Image


Two additional certificates are now visible in Azure Key Vault as shown in the image below.

Image


I hope you found this demo useful.

Azure Traffic Manager 404 Web Site not found

Reading Time: 2 minutes


A quick post about a problem I encountered after deploying an Azure Traffic Manager with three endpoints consisting of three websites running in Azure App Services. Initially, everything worked smoothly, but a few days after deployment, I started encountering an error.

When accessing the traffic manager url, I received the message below.

Message:
404 Web Site not found. You may be seeing this error due to one of the reasons listed below:
– Custom domain has not been configured inside Azure.
Client cache is still pointing the domain to the old IP address. Clear the cache by running the command ipconfig/flushdns.

Image


Traffic manager also showed a monitor status of Degraded as shown in the image below

Image


However, I was able to access each app service url directly without an issue and the web page would load successfully. The above error only appeared when accessing the traffic manager url.

Resolution
I was originally using standard app service plans which support custom domains. My Azure App Service Plan had the traffic manager domain configured as shown in the image below.

Image


When investigating, I found that the error was due to my app service plans being downgraded to the shared tier, which does not allow the use of custom domains.

Image


Upgrading to a plan which allows custom domains resolved the issue.

A quick post, but I hope it’s of use to you.

Be Part of HISTORY – Earn Your Free AI Skills Badge Today!

Reading Time: 2 minutes


Are you ready to be part of HISTORY?

Join us for the AI (Artificial Intelligence) Skills Fest event happening today, April 8th 2025, where Microsoft aim to set a new Guinness World Record™ for the number of people trained on AI in a 24 hour period!


Why You Should Join

  • Around the Clock Learning: Participate at any time that suits you with learning opportunities available 24/7.
  • Earn a Badge: Participants will earn a badge to showcase their achievement and be part of history. Available today only (8th April 2025).
  • 50 Days of Discovery: Continue your AI skilling journey after the 8th of April 2025 with 50 days of discovery and learning.
  • Free Registration: Yes, you read that right! Register for FREE and be part of this groundbreaking event.


How to Participate in the Guinness World Record™ attempt

  1. Register: Register for free at Microsoft AI Skills Fest – Home – Home
  2. Explore sessions: Click Explore event located towards the top of the page (as shown in the image below), or click the following link, AI Skills Fest Events
  3. Take part in 1 or more 45 minute sessions TODAY Tuesday 8th April.
Image


4. Confirm Your Participation: Scan the QR code at the end of the session to contribute towards the global Microsoft effort and become a Guinness World Record™ holder yourself! The presenter will display a QR code for you to scan at the end of the session.

5. Claim Your Badge: Don’t forget to claim your badge! 🥳

6. Share your success: Post your milestone with hashtag #AISkillsFest


What happens after the 8th April 2025?

Continue Learning with 50 days of FREE AI learning!

Join the Microsoft AI Skills Challenge and WIN a FREE exam voucher and cash prizes. This is a 50 day gamified learning to sharpen your AI skills and compete globally. Learn more and get started at https://aka.ms/aiskillfest/challengeofficialrulesThe page includes a list of FAQ’s.

Spread the Word

Help us make history by sharing this event with your friends, colleagues, and followers. Together, we can achieve something truly remarkable.

Here is my badge 🙂

Microsoftaiskillsfestgwrattemptbadge[full]

Part 3 – Microsoft Purview Roles and Scopes

Reading Time: 8 minutes


Hello and welcome to Part 3 of this blog post series on Microsoft Purview. You can visit the previous posts via the links below:

Part 1: Introduction to Microsoft Purview – Part 1 – Cloud Build
Part 2: Microsoft Purview Portal – Part 2 – Cloud Build

In this post, I explore Microsoft Purview roles and scopes.

As we know from the previous posts, Microsoft Purview offers a robust data governance and compliance solution, enabling organisations to manage sensitive information across multiple platforms. Given the highly sensitive nature of the data within Microsoft Purview, it is crucial to restrict access to authorised individuals only. To ensure that access is granted to the right individuals, Microsoft Purview leverages Role Based Access Control (RBAC), which allows for more precise control over who can access specific solutions and datasets.

Please note that holding a Compliance Admin or even a Global Admin role may not grant access to highly confidential data. Additional roles may need to be assigned to manage specific areas within Microsoft Purview. Furthermore, granting highly privileged roles to admins does not follow best practices and the principle of least privilege. We should always assign just enough permissions for the admin to perform their duties.

Let’s explore roles and scopes further.

  1. Access purview.microsoft.com, click Settings, and click to expand Roles and scopes from the left pane.
Image


2. The first two options available under Roles and scopes are Microsoft Entra ID and Role groups.

Image


Microsoft Entra ID roles, visible within Entra ID at entra.microsoft.com, include over 100 built in roles that serve various administrative functions. In the Microsoft Purview Portal, however, only 9 specific Entra ID roles are listed, each capable of performing tasks related to compliance and governance in Microsoft Purview. These roles, when assigned or if already assigned to users, grant them permissions to access and perform specific tasks within Microsoft Purview. Therefore, if you’re assigned one of these roles via Entra ID, you will have certain permissions inside Microsoft Purview depending on the role assigned. However, this does not mean you have full control to Microsoft Purview, as additional Purview roles need to be assigned to perform specific tasks.

Image


For example, to view Role Groups (under the option Entra ID) in the Purview portal, users need to have the Global Administrator role assigned. If you’re already a Global Admin, you’ll automatically have access to view and manage users within Role Groups in Microsoft Purview.

Image


However, assigning such a powerful role (Global Administrator) might not always be ideal, as it provides extensive permissions beyond just viewing Role Groups in Entra ID. To address this, there is a more targeted Microsoft Purview role available under Role Groups, the Role Management role. This role enables users to view, create, and modify Role Groups and much more inside Microsoft Purview without granting the broad permissions associated with a Global Admin, which has significant control over your environment.

But what is the purpose of Role Groups? Role groups in Microsoft Purview are specific to data governance and compliance tasks within Purview itself. These groups allow you to manage user permissions for accessing and performing tasks in Purview, like working with policies or data classifications. Essentially, Entra ID roles control broader administrative access, while the 65 built in Role Groups target Purview specific permissions. Apart from the one Entra ID role (Global Administrator), the remaining 8 Entra ID roles can also be located inside Role Groups.

Why is it called a Role Group? Because it’s a group of roles. Let’s take Organization Management as an example.

Image


3. If I click on the Organization Management role group, I see a number of roles included as part of this role group.

Image


The image above displays a list of roles in the Organization Management group.

4. Click Edit to add members to this group.

Image


5. From here, we can add members to this role group and click next to complete.

Image


6. But what if one of the role groups was ideal for you, but you wanted to remove some roles or slightly tweak the role group to fulfil your requirements? You can clone the role by clicking “Copy” and configure it as needed.

Image

7. Give the role group a suitable name and click Copy.

Image


8. Locate the custom role group you created from the list, open it, and click Edit. You can then remove any unwanted roles as needed.

Image


9. What if you wanted to create a role group and add the required roles from scratch? Click Role groups located under Roles and scopes, and click + Create role group as shown in the images below.

Image

Image


Important note:
It’s crucial to assign the right permissions following the principle of least privilege, ensuring that users managing Purview have only the permissions necessary to perform their job functions. Over provisioning permissions can increase the attack surface and lead to excessive control in the event the account is compromised by a bad actor.

Finally, we come to Adaptive scopes.

Adaptive Scopes

Image


What are Adaptive Scopes?

When you create retention and communication compliance policies (more on these policies later) in Microsoft Purview, you can add an adaptive scope for your policy. But, what’s the benefit? An adaptive scope allows you to create policies that automatically adjust to include or exclude data based on a specific criteria. This helps ensure that the right policies are applied to the right data without needing constant manual updates. For, example, you want to create a retention policy that ensures all documents related to financial transactions are retained for 7 years, regardless of where the data is stored. You can create and assign an adaptive scope based on queries, such as if the user’s country is the US. The retention policy will retain data for the specified number of years in the US only. If the requirement for retention in the UK is different, you could create a retention policy to retain data for 10 years and assign the adaptive scope including a query based on UK users. An adaptive scope reduces the management overhead.

Adaptive scopes are similar to dynamic groups in Entra ID but offer more and work with specific Purview policies, which will be covered later. To summarise, an adaptive scope is a scope that is dynamically filled based on a query you configure.

Adaptive scopes can also be applied to SharePoint site names and URL’s, OneDrive, Teams messages and more. See image below for a list. Source: Adaptive scopes | Microsoft Learn

Image

Let’s go through the steps

  1. Navigate to the Microsoft Purview portal and click on Adaptive scopes.
Image


2. Click on Create scope to start creating a new adaptive scope

Image


3. Enter a name for your adaptive scope. For example, you want to create an adaptive scope for your finance team. You can later create a retention policy to store data for the finance team for 7 years and assign this adaptive scope to the policy. Microsoft Purview will look for individuals in the finance team with a specific attribute, which we will configure shortly.

Click Next to proceed

Image


4. The next page allows you to assign an admin unit you may have created in Entra ID. You don’t have to select admin units and could click Next to move to the next page, but it’s worth knowing why you would want to use an admin unit.

Explanation of Admin Units
Admin units provide the ability to assign admins to one or more administrative units, with the result that these now restricted admins can manage only the users in their assigned administrative units. For example, a university may have thousands of student user accounts located in Entra ID. You need to split support responsibility amongst three IT teams. IT Team A are responsible for taking support calls from the Law students. IT Team A have the needed permissions to manage Law student user accounts. Team B will only manage Medicine students and Team C will only manage Engineering students. Admin units allow us to split responsibility between the IT teams.

This boundary of management flows into Microsoft Purview for supported solutions to ensure that restricted admins can manage only the users they have been assigned to manage.

For example, let’s take IT team A who manage and support Law students. IT team A only have the permissions to manage Law student user accounts. We create a new adaptive scope for Law students and select the administrative unit named Law Students. Then, because we want the adaptive scope to include only Law students, we use the department attribute to specify Department = Faculty of Law. If we misconfigure this attribute and instead specify, Department = Faculty of Art, but the users with that value aren’t included in the Law students administrative unit, the scope won’t contain any users. The target users can be Law students only. You can learn more about administrative units at the following Microsoft Learn link, Administrative units in Microsoft Entra ID – Microsoft Entra ID | Microsoft Learn.

In this demo, I won’t be assigning an admin unit. Click Next

Image


5. On the scope type page, we can select the scope. Here we can scope the adaptive scope to users, SharePoint sites or Microsoft 365 groups.

Image


6. I’ll select SharePoint sites and click Next.

Image


7. This is where we can build a query. For example, these attributes can be used in our policy to apply a retention policy of 7 years if the SharePoint URL or name starts with “finance”.

Image


8. Here is an example query

Query: Site URL starts with finance

Image


and here is my SharePoint page starting with finance in the URL.

Image


You can also add additional queries if required

Image


You can also add custom attributes if needed

Image


You can also use a different condition if you don’t wish to use “starts with”

Image

9. Now, when I apply the adaptive scope to a policy, it will only apply the policy to SharePoint sites starting with Finance.

We can also create an adaptive scope for users, SharePoint site or Microsoft 365 Groups. Images below.

Image


User attributes available for users

Image


Microsoft 365 Groups

Image


Attributes available for Microsoft 365 Group

Image


That’s it for roles and scopes.

I hope this post was useful.

Stay tuned for further blog posts where we explore the different solutions available in Microsoft Purview.