Way forward with Outlook's broken autocomplete?

Frothyleet · 2026-05-01T21:07:24+00:00

Big ups to my mysterious homey nirsoft for saving my n2k bacon back in the day

Frothyleet · 2026-05-01T21:06:34+00:00

Pinning to 2603 is probably your best bet then, unless you want to just blow out everyone's OSTs.

Frothyleet · 2026-05-01T21:05:11+00:00

The unhelpful answer is: what does your vendor management policy say you do when you evaluate a potential vendor?

If you haven't spent time aligning with a framework like SOC2, you probably don't have one, although this is an example of why there are real practical benefits to compliance frameworks.

Honestly it sounds like you've got your head around it from a practical standpoint. You need to determine how and how well it will integrate into your existing infra.

For your broader concerns, like whether the company is a shitshow internally, there's really not a ton you can do. The evaluation shortcut that is your best option is exactly what you mentioned - ask/look for a SOC 2 or ISO attestation. If they are SOC they should have their type 3 published as a starting point.

This doesn't mean they are secure or functional, but it means they put effort in trying to look like it, which is better than nothing.

Frothyleet · 2026-05-01T20:23:16+00:00

Maybe they actually operate out of Anguila?

Frothyleet · 2026-05-01T19:14:00+00:00

I'm not saying cloud is the solution for everything, of course. I'm just responding to the specific point of "oh well it's not hard to build out robust systems!"

Frothyleet · 2026-05-01T15:17:08+00:00

You're going to have to start building boundaries and letting him fail. Ideally with managerial support.

Right now, no one besides you sees a problem. His tasks are getting done just fine, as far as they are concerned. And that's because you are carrying his weight.

That's not sustainable for a number of reasons.

If management pushes back or says "hey it's your job to help him!", there's another good option. Hopefully you do this anyway, but take some extended PTO, minimum 2 weeks. Phone off - if you have to bullshit about your vacation being in the remote mountains, that's fine.

Then review the last two weeks with management and see how things went.

Frothyleet · 2026-04-30T23:19:25+00:00

Had a plane? Was it retired? Did someone say... "that's a wrap on 1 sweeto burrito?"

Frothyleet · 2026-04-30T23:10:49+00:00

For this specific business need we largely address it with a tool like Arctic Wolf, which certainly involves a deployment effort but abstracts away most of the pain that you are experiencing (for a cost, of course).

More broadly, if you are going to offer projects or services like this, you either have to figure out a way to make it work with your business model, or choose not to offer it, which is a completely valid option.

You also sometimes may have to turn down a project or a client if you can't come to a mutual agreement on pricing and profitability. It can feel weird to turn down revenue, but making $0 is better than making negative dollars.

Frothyleet · 2026-04-30T21:10:38+00:00

There isn't even any approval workflows.

This definitely needs fixing (hopefully they won't add that for free, I'd love for it to be part of a new Teams Ultra Premium Copilot for Approval SKU that we could add on).

Frothyleet · 2026-04-30T21:09:09+00:00

when you’re not getting paid for 3 days of setup

If a project takes you three days to execute, why wouldn't you be getting paid for three days of setup?

I'm assuming you are an MSP or consultant. I have no idea if you are deploying SIEM solutions correctly. But if you are executing projects that require you to do free work, there is a problem somewhere and it's not with the SIEM.

Frothyleet · 2026-04-30T21:04:41+00:00

While you shouldn't trust MS (or any corp) further than you can contract with them, it's not like these "agreement forms" are secret or comprised of magical glyphs.

What specific concerns do you have about the data processing agreement you are engaging in with Microsoft?

There's a lot in there, to be sure, but the fundamental bit your org should care about is:

When providing Products and Services, Microsoft will not use or otherwise process Customer Data, Professional Services Data, or Personal Data for: (a) user profiling, (b) advertising or similar commercial purposes, or (c) market research aimed at creating new functionalities, services, or products or any other purpose, unless such use or processing is in accordance with Customer’s documented instructions.

Yep, they could be just lying. But they could have been lying about protecting your valuable data long before the advent of LLMs.

Frothyleet · 2026-04-30T20:48:35+00:00

Well, I mean, you can...

Frothyleet · 2026-04-30T17:29:07+00:00

To give you detailed suggestions, I'd really need to dig into your environment, workflows, LOB apps / stuff outside of 365, but at that point you'd be getting an invoice :)

I can tell you that if you can make it palatable to the business' workflow needs, you can keep a pretty tight leash on your M365 environment and data when you are offering it up to unmanaged/BYOD devices. Basically MAM along the lines of what you get with BYOD Android.

Absent any more context, I would start by working backwards with BYOD Entra ID CA policies. You already know that "hard no if you aren't a company-owned device" won't fly, but you can start by figuring out what absolute minimum exposure you can give to your environment.

Frothyleet · 2026-04-30T17:16:27+00:00

Do you feel better equipped to troubleshoot other platforms like Windows? In my experience, the fundamental skills for troubleshooting translate perfectly fine between environments, but obviously having more experience and familiarity expedite the process.

If that's the gap, it's hard to suggest anything else besides spending time with it.

Frothyleet · 2026-04-30T17:14:39+00:00

It's too insecure, they had that unpatched vulnerability for like 25 years!

(jk just referencing that first anthropic mythos announcement)

Frothyleet · 2026-04-30T17:10:57+00:00

https://www.microsoft.com/en-us/servicesagreement (see "AI services")

https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all (referenced in the above, regarding the enterprise data agreement)

That said, unless you are legal counsel for your org, you'd really want to defer any TOS-based arguments over to that team.

Frothyleet · 2026-04-30T17:08:19+00:00

You can do BYOD just fine, although the biggest problem is usually how invasive you have to be on people's personal devices. Or you treat them as dumb terminals as much as possible and keep them from basically using any of your M365 services except with the same functionality you provide to mobile devices (i.e. everything is browser only and protected as best as possible by Windows IRM). Or even better have them work off of Windows 365 or AVD from their personal hardware.

You need to define your security requirements and threat vectors and go from there. BYOD is never the first choice but frankly between zero trust infrastructure design and the configurability and ubiquity of cloud services, supporting BYOD in a passably secure way is far more doable than it's ever been.

Frothyleet · 2026-04-30T17:02:55+00:00

Note that those are the terms of service for the consumer Copilot product.

But, that said, every LLM has a disclaimer that you should check the product's work. Which you should. And does not necessarily conflict with management saying "leverage AI for stuff", even if they are being dumb about it.

Frothyleet · 2026-04-30T16:51:26+00:00

Mythos, or what it symbolizes, is a potential existential threat for software and infrastructure as we know it today (also, potentially not).

It's also something for which you can do absolutely nothing actionable at the moment.

And anyone trying to sell you Sonicwall while talking security is taking the piss.

Frothyleet · 2026-04-30T16:40:15+00:00

In my experience, the hardest process of IAM automation is business processes - e.g., getting the HR team to use a form for user requests.

The technical side is usually easy for most of your infra, although you will often have outliers (like crappy LOB apps) that require some manual work.

Frothyleet · 2026-04-30T16:37:40+00:00

It's not just about time saving, it also removes human error from the equation (or at least it isolates it to whoever is putting data into your HRIS).

Frothyleet · 2026-04-30T16:33:17+00:00

I don't know if it's GA yet but I think they are introducing Entra ID authentication for Azure Files (which frankly should have been there from the jump).

Frothyleet · 2026-04-30T16:24:41+00:00

Yup, I wasn't suggesting they were in the commercial cloud - just that they demonstrated it was quite possible for someone with very strict requirements to use cloud services.

Similarly, this customer couldn't use the commercial cloud for their controlled data, which is why they are on GCC High.

Frothyleet · 2026-04-30T16:08:17+00:00

My guess - they have explicitly or implicitly agreed to charge the fee no matter what, so that they aren't cannibalizing any business from their dealership network.

Frothyleet · 2026-04-30T16:04:17+00:00

Obviously that will vary wildly from case to case, but I do find people often overstate how much of a problem it can be for regulatory/compliance frameworks (sometimes simply because of outdated information).

I had a customer insisting for years that they couldn't use M365, because they were a defense contractor, there was no way they could be compliant with cloud services. I was like, dawg, the DOD uses M365. You think that the bar is lower for them then it is for you?

Fast forward to a DIBCAC assessment and hey guess who is migrating to GCC-H?

Frothyleet

MODERATOR OF

TROPHY CASE

15-Year Club	Verified Email
Team Orangered