For Project Service Automation customers on US government cloud, we will have a future announcement regarding upgrade and the availability of Project Operations.
Beginning March 31st, 2025, Microsoft will no longer support PSA on commercial cloud environments. There will not be any feature enhancements, updates, bug fixes, or other updates to this offering. Any support ticket logged for the PSA commercial cloud will be closed with instructions to upgrade to Dynamics 365 Project Operations.
We strongly encourage all customers of PSA commercial cloud to start planning your upgrade process as soon as possible so you can to take advantage of many new Project Operations features such as:
Integration with Project for the Web with many new advanced scheduling features
Project Operations was first released in October 2020 as a comprehensive product to manage Projects from inception to close by bringing together the strengths of Dataverse, Microsoft Dynamics 365 Finance and Supply Chain Management, and Project for the web assets.
Want to learn more about Project Operations? Check this link and navigate to our detailed documentation!
Want to try Project Operations? Click here and sign up for a 30-day trial!
This article is contributed. See the original author and article here.
Heya folks, Ned here again. Last November, Microsoft launched the Secure Future Initiative (SFI) to prepare for the increasing scale and high stakes of cyberattacks. SFI brings together every part of Microsoft to advance cybersecurity protection across our company and products.
Windows has focused on security options with each major release, and Windows 11 24H2 and Windows Server 2025 are no exception: they include a dozen new SMB features that make your data, your users, and your organization safer – and most are on by default. Today I’ll explain their usefulness, share some demos, and point to further details.
We now require signing by default for all Windows 11 24H2 SMB outbound and inbound connections and for all outbound connections in Windows Server 2025. This changes legacy behavior, where we required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing for their clients.
How it helps you
SMB signing has been available for decades and prevents data tampering and relay attacks that steal credentials. By requiring signing by default, we ensure that an admin or user must opt out of this safer configuration, instead of requiring them to be very knowledgeable about SMB network protocol security and turn signing on.
The SMB client now supports blocking NTLM authentication for remote outbound connections. This changes the legacy behavior of always using negotiated authentication that could downgrade from Kerberos to NTLM.
How it helps you
Blocking NTLM authentication prevents tricking clients into sending NTLM requests to malicious servers, which counteracts brute force, cracking, relay, and pass-the-hash attacks. NTLM blocking is also required for forcing an organization’s authentication to Kerberos, which is more secure because it verifies identities with its ticket system and better cryptography. Admins can specify exceptions to allow NTLM authentication over SMB to certain servers.
The SMB server service now throttles failed authentication attempts by default. This applies to SMB sharing files on both Windows Server and Windows.
How it helps you
Brute force authentication attacks bombard the SMB server with multiple username and password-guesses and the frequency can range from dozens to thousands of attempts per second. The SMB authentication rate limiter is enabled by default with a 2 second delay between each failed NTLM or Local KDC Kerberos-based authentication attempt. An attack that sends 300 guesses per second for 5 minutes, for example – 90,000 attempts – would now take 50 hours to complete. An attacker is far more likely to simply give up than keep trying this method.
SMB insecure guest auth now off by default in Windows Pro editions
What it is
Windows 11 Pro no longer allows SMB client guest connections or guest fallback to an SMB server by default. This makes Windows 11 Pro operate like Windows 10 and Windows 11 Enterprise, Education, and Pro for Workstation editions have for years.
How it helps you
Guest logons don’t require passwords & don’t support standard security features like signing and encryption. Allowing a client to use guest logons makes the user vulnerable to attacker-in-the-middle scenarios or malicious server scenarios – for instance, a phishing attack that tricks a user into opening a file on a remote share or a spoofed server that makes a client think it’s legitimate. The attacker doesn’t need to know the user’s credentials and a bad password is ignored. Only third-party remote devices might require guest access by default. Microsoft-provided operating systems haven’t enabled guest in server scenarios since Windows 2000.
You can now mandate the SMB 2 and 3 protocol versions used.
How it helps you
Previously, the SMB server and client only supported automatically negotiating the highest matched dialect from SMB 2.0.2 to 3.1.1. This means you can intentionally block older protocol versions or devices from connecting. For example, you can specify connections to only use SMB 3.1.1, the most secure dialect of the protocol. The minimum and maximum can be set independently on both the SMB client and server, and you can set just a minimum if desired.
The SMB client now supports requiring encryption of all outbound SMB connections.
How it helps you
Encryption of all outbound SMB client connections enforces the highest level of network security and brings management parity to SMB signing. When enabled, the SMB client won’t connect to an SMB server that doesn’t support SMB 3.0 or later, or that doesn’t support SMB encryption. For example, a third-party SMB server might support SMB 3.0 but not SMB encryption. Unlike SMB signing, encryption is not required by default.
Remote Mailslots deprecated and disabled by default
What it is
Remote Mailslots are deprecated and disabled by default for SMB and for DC locator protocol usage with Active Directory.
How it helps you
The Remote Mailslot protocol is an obsolete, simple, unreliable, IPC method first introduced in MS DOS. It is completely unsafe and has no authentication or authorization mechanisms.
SMB over QUIC is now included in all Windows Server 2025 editions (Datacenter, Standard, Azure Edition), not just on Azure Edition like it was in Windows Server 2022.
How it helps you
SMB over QUIC is an alternative to the legacy TCP protocol and is designed for use on untrusted networks like the Internet. It uses TLS 1.3 and certificates to ensure that all SMB traffic is encrypted and usable through edge firewalls for mobile and remote users without the need for a VPN. The user experience does not change at all.
SMB over QUIC client access control lets you restrict which clients can access SMB over QUIC servers. The legacy behavior allowed connection attempts from any client that trusts the QUIC server’s certificate issuance chain.
How it helps you
Client access control creates allow and block lists for devices to connect to the file server. A client would now need its own certificate and be on an allow list to complete the QUIC connection before any SMB connection occurs. Client access control gives organizations more protection without changing the authentication used when making the SMB connection and the user experience does not change. You can also completely disable the SMB over QUIC client or only allow connection to specific servers.
You can use the SMB client to connect to alternative TCP, QUIC, and RDMA ports than their IANA/IETF defaults of 445, 5445, and 443.
How it helps you
With Windows Server, this allows you to host an SMB over QUIC connection on an allowed firewall port other than 443. You can only connect to alternative ports if the SMB server is configured to support listening on that port. You can also configure your deployment to block configuring alternative ports or specify that ports can only connect to certain servers.
The built-in firewall rules don’t contain the SMB NetBIOS ports anymore.
How it helps you
The NetBIOS ports were only necessary for SMB1 usage, and that protocol is deprecated and removed by default. This change brings SMB firewall rules more in line with the standard behavior for the Windows Server File Server role. Administrators can reconfigure the rules to restore the legacy ports.
SMB now supports auditing use of SMB over QUIC, missing third party support for encryption, and missing third party support for signing. These all operate at the SMB server and SMB client level.
How it helps you
It is much easier for you to determine if Windows and Windows Server devices are making SMB over QUIC connections. It is also much easier to determine if third parties support signing and encryption before mandating their usage.
With the release of Windows Server 2025 and Windows 11 24H2, we have made the most changes to SMB security since the introduction of SMB 2 in Windows Vista. Deploying these operating systems fundamentally alters your security posture and reduces risk to this ubiquitous remote file and data fabric protocol used by organizations worldwide.
This article is contributed. See the original author and article here.
After the release of Phi-3 at Microsoft Build 2024, it has received different attention, especially the application of Phi-3-mini and Phi-3-vision on edge devices. In the June update, we improved Benchmark and System role support by adjusting high-quality data training. In the August update, based on community and customer feedback, we brought Phi-3.5-mini-128k-instruct multi-language support, Phi-3.5-vision-128k with multi-frame image input, and provided Phi-3.5 MOE newly added for AI Agent. Next, let’s take a look
Multi-language support
In previous versions, Phi-3-mini had good English corpus support, but weak support for non-English languages. When we tried to ask questions in Chinese, there were often some wrong questions, such as
Obviously, this is a wrong answer
But in the new version, we can have better understanding and corpus support with the new Chinese prediction support
You can also try the enhancements in different languages, or in the scenario without fine-tuning and RAG, it is also a good model.
Phi-3.5-Vision enables Phi-3 to not only understand text and complete dialogues, but also have visual capabilities (OCR, object recognition, and image analysis, etc.). However, in actual application scenarios, we need to analyze multiple images to find associations, such as videos, PPTs, books, etc. In the new Phi-3-Vision, multi-frame or multi-image input is supported, so we can better complete the inductive analysis of videos, PPTs, and books in visual scenes.
As shown in this video
We can use OpenCV to extract key frames. We can extract 21 key frame images from the video and store them in an array.
images =[]
placeholder =“” for i inrange(1,22): withopen(“../output/keyframe_”+str(i)+“.jpg”,“rb”)as f:
In order to achieve higher performance of the model, in addition to computing power, model size is one of the key factors to improve model performance. Under a limited computing resource budget, training a larger model with fewer training steps is often better than training a smaller model with more steps.
Mixture of Experts Models (MoEs) have the following characteristics:
Faster pre-training speed than dense models
Faster inference speed than models with the same number of parameters
Requires a lot of video memory because all expert systems need to be loaded into memory
There are many challenges in fine-tuning, but recent research shows that instruction tuning for mixed expert models has great potential.
Now there are a lot of AI Agents applications, we can use MOEs to empower AI Agents. In multi-task scenarios, the response is faster.
We can explore a simple scenario where we want to use AI to help us write Twitter based on some content and translate it into Chinese and publish it to social networks. We can combine Phi-3.5 MOEs to complete this. We can use Prompt to set and arrange tasks, such as blog content publishing, translated content, and the best answer.
“””
sys_msg = “””
You are a helpful AI assistant, you are an agent capable of using a variety of tools to answer a question. Here are a few of the tools available to you:
– Blog: This tool helps you describe a certain knowledge point and content,andfinally write it into Twitter or Facebook style content – Translate: This is a tool that helps you translate into any language, using plain language as required – Final Answer: the final answer tool must be used to respond to the user. You must use this when you have decided on an answer.
To use these tools you must always respond in JSON format containing `“tool_name”` and `“input”` key–value pairs. For example, to answer the question,“Build Muliti Agents with MOE models” you must use the calculator tool like so:
{ “tool_name”:“Blog”, “input”:“Build Muliti Agents with MOE models” }
Or to translate the question “can you introduce yourself in Chinese” you must respond:
{ “tool_name”:“Search”, “input”:“can you introduce yourself in Chinese” }
Remember just output the final result, ouput in JSON format containing `“agentid”`,`“tool_name”` , `“input”` and `“output”` key–value pairs .:
{“agentid”:“step2”, “tool_name”:“Search”, “input”:“can you introduce yourself in Chinese”, “output”:“………” }, { “agentid”:“final” “tool_name”:“Result”, “output”:“………” } ]
The users answer isas follows.
“”“
We can see that by telling the model what skills it needs to have and the arrangement of tasks, we can assign them to different tasks through Phi-3.5 MOEs to complete related work.
Write something about Generative AI with MOEs , translate it to Chinese
The result :
[ { “agentid”:“step1”, “tool_name”:“Blog”, “input”:“Generative AI with MOE”, “output”:“Generative AI with MOE (Mixture of Experts) is a powerful approach that combines the strengths of generative models and the flexibility of MOE architecture. This hybrid model can generate high-quality, diverse, and contextually relevant content, making it suitable for various applications such as content creation, data augmentation, and more.” }, { “agentid”:“step2”, “tool_name”:“Translate”, “input”:“Generative AI with MOE is a powerful approach that combines the strengths of generative models and the flexibility of MOE architecture. This hybrid model can generate high-quality, diverse, and contextually relevant content, making it suitable for various applications such as content creation, data augmentation, and more.”, “output”:“基于生成AI的MOE(Mixture of Experts)是一种强大的方法,它结合了生成模型的优势和MOE架构的灵活性。这种混合模型可以生成高质量、多样化且上下文相关的内容,使其适用于各种应用,如内容创建、数据增强等。” }, { “agentid”:“final”, “tool_name”:“Result”, “output”:“基于生成AI的MOE(Mixture of Experts)是一种强大的方法,它结合了生成模型的优势和MOE架构的灵活性。这种混合模型可以生成高质量、多样化且上下文相关的内容,使其适用于各种应用,如内容创建、数据增强等。” } ]
If conditions permit, we can more smoothly integrate the Phi-3 MOEs model into frameworks such as AutoGen, Semantic Kernel, and Langchain.
SLMs do not replace LLMs but give GenAI a broader scenario. The update of Phi-3 allows more edge devices to have better support, including text, chat, and vision. In modern AI Agents application scenarios, we hope to have more efficient task execution efficiency. In addition to computing power, MoEs are the key to solving problems. Phi-3 is still iterating, and I hope everyone will pay more attention and give us better feedback.
This article is contributed. See the original author and article here.
[Available for iOS only, Android support coming soon]
If you already have a Dynamics 365 Field Service, Dynamics 365 Guides, and/or Dynamics 365 Remote Assist license, you can access the new remote assistance capabilities in your mobile Teams app automatically upon release at no additional cost.
Turn any mobile device into a mixed reality collaboration platform
Today, frontline workers use Teams within the Microsoft Dynamics 365 Remote Assist and Guides applications to collaborate with spatial annotations. The Remote Assist mobile app is a popular choice for workers on the go because it’s fast and easy to get anyone on a call, show the task in front of you, and ink your space.
Now, those same workers can quickly access this core functionality directly from the Teams mobile app as long you have Dynamics 365 Field Service license. For workers who are often on the move, having all their core collaboration capabilities in a single app makes the job easier. It eliminates the need to switch apps, while making sure all your collaboration capabilities from Teams are at your fingertips.
No more context switching—stay within the flow of work
Using this feature is as straightforward as joining a Teams meeting or making a call. With the front-facing camera, users can share their view with remote participants. This allows real-time collaboration relying on 3D annotations overlayed on physical objects to enhance comprehension.
Just like with the Remote Assist app, users can move and change angles without losing track of annotations anchored to their environment. This advanced level of interaction empowers Teams mobile users to share insights and reduce miscommunications that could lead to rework.
Reduce app sprawl by eliminating the need to manage another app
If your company already leverages Teams to facilitate communication and collaboration, why not make it cover more collaborative use cases for frontline workers too? IT administrators don’t need to manage another app to enable remote assistance capabilities for their mobile workforce.
Bringing Spatial Annotations to the Teams mobile app means fewer apps for IT teams to provision, update, and audit. Companies can benefit from Teams’ ability to support end-to-end encryption, data loss prevention, and compliance certifications, adding additional security measures protecting against unauthorized access to confidential company information.
How can I access Spatial Annotations on my mobile Teams app?
The public preview for iOS users is currently rolling out, with public preview for Android users coming later this summer. General availability will come later in 2024.
Infusing mixed reality capabilities into apps workers are already using, on devices they already have in their pockets, is just one way we’re working to bring mixed reality to frontline workers. We’re excited with this next step democratizing mixed reality and bringing leading-edge mixed reality solutions to more people across industries.
This article is contributed. See the original author and article here.
This is a step-by-step guided walkthrough of how to use the custom Copilot for Security pack for Microsoft Data Security and how it can empower your organization to understand the cyber security risks in a context that allows them to achieve more. By focusing on the information and organizational context to reflect the real impact/value of investments and incidents in cyber. We are working to add this to our native toolset as well, we will update once ready.
Prerequisites
License requirements for Microsoft Purview Information Protection depend on the scenarios and features you use. To understand your licensing requirements and options for Microsoft Purview Information Protection, see the Information Protection sections from Microsoft 365 guidance for security & compliance and the related PDF download for feature-level licensing requirements. You also need to be licensed for Microsoft Copilot for Security, more information here.
Consider setting up Azure AI Search to ingest policy documents, so that they can be part of the process.
Step-by-step guided walkthrough
In this guide we will provide high-level steps to get started using the new tooling. We will start by adding the custom plugin.
Go to securitycopilot.microsoft.com
Download the DataSecurityAnalyst.yml file from here.
Select the plugins icon down in the left corner.
Under Custom upload, select upload plugin.
Select the Copilot for Security plugin and upload the DataSecurityAnalyst.yml file.
Click Add
Under Custom you will now see the plug-in
The custom package contains the following prompts
Under DLP you will find this if you type /DLP
Under Sensitive you will find this if you type sensitive
Let us get started using this together with the Copilot for Security capabilities
The DLP anomaly is checking data from the past 30 days and inspect on a 30m interval for possible anomalies. Using a timeseries decomposition model.
The sensitivity content anomaly is using a slightly different model due to the amount of data. It is based on the diffpatterns function that compares week 3,4 with week 1,2.
Access to sensitive information by compromised accounts.
This example is checking the alerts reported against users with sensitive information that they have accessed.
Who has accessed a Sensitive e-mail and from where?
We allow for organizations to input message subject or message Id to identify who has opened a message. Note this only works for internal recipients.
You can also ask the plugin to list any emails classified as Sensitive being accessed from a specific network or affected of a specific CVE.
Document accessed by possible compromised accounts.
You can use the plugin to check if compromised accounts have been accessing a specific document.
CVE or proximity to ISP/IPTags
This is a sample where you can check how much sensitive information that is exposed to a CVE as an example. You can pivot this based on ISP as well.
Tune Exchange DLP policies sample.
If you want to tune your Exchange, Teams, SharePoint, Endpoint or OCR rules and policies you can ask Copilot for Security for suggestions.
Purview unlabelled operations
How many of the operations in your different departments are unlabelled? Are any of the departments standing out?
In this context you can also use Copilot for Security to deliver recommendations and highlight what the benefit of sensitivity labels are bringing.
Applications accessing sensitive content.
What applications have been used to access sensitive content? The plugin supports asking for applications being used to access sensitive content. This can be a fairly long list of applications, you can add filters in the code to filter out common applications.
If you want to zoom into what type of content a specific application is accessing.
What type of network connectivity has been made from this application?
Or what if you get concerned about the process that has been used and want to validate the SHA256?
Hosts that are internet accessible accessing sensitive content
Another threat vector could be that some of your devices are accessible to the Internet and sensitive content is being processed. Check for processing of secrets and other sensitive information.
Promptbooks
Promptbooks are a valuable resource for accomplishing specific security-related tasks. Consider them as a way to practically implement your standard operating procedure (SOP) for certain incidents. By following the SOP, you can identify the various dimensions in an incident in a standardized way and summarize the outcome. For more information on prompt books please see this documentation.
Exchange incident sample prompt book
Note: The above detail is currently only available using Sentinel, we are working on Defender integration.
Recent Comments