Is Microsoft Copilot AI an ultimate solution for business? CodeTwo CEO talks with MVP Tony Redmond

Here’s a deep dive into generative AI with Szymon Szczesniak (CodeTwo CEO) & Tony Redmond (Microsoft MVP since 2004). Watch the podcast below to find out more about Microsoft Copilot, Microsoft 365, new edition of Exchange on-prem, and tackling everyday challenges of an IT admin. Should we keep calm and ignore AI?

Pssst… You’ll find the transcript for the podcast below the video.

Podcast transcript

Szymon Szczesniak: Hello and welcome to the first, and hopefully not the last, episode. Today we are at ESPC 23 in Amsterdam, and our guest is Tony Redmond.

Tony Redmond: Hello!

Szymon Szczesniak: Tony, you’ve been an MVP since 2004.

Tony Redmond: That’s about right.

Szymon Szczesniak: That’s correct. Former senior executive and CTO at Digital Equipment, Compaq and HP.

Tony Redmond: Yup.

Szymon Szczesniak: Currently the principal author of “Office 365 for IT Pros” and a couple of different IT blogs.

Tony Redmond: Yeah, that sounds like a criminal record that you’ve just read out for me. Thank you very much.

Szymon Szczesniak: Does it? Do you have these pictures (mugshots)?

Tony Redmond: Yeah, I have many pictures in Google, but let’s not go into that right now. Szymon Szczesniak: Okay! So, today we’re here to talk about joys and pains of an IT admin. Okay? Is that okay with you?

Tony Redmond: Go for it.

Szymon Szczesniak: Okay, so looking at your t-shirt, “Keep calm and ignore AI.” Yesterday, you had a session on generative AI.

Tony Redmond: Generative AI, exactly. Making it work inside Microsoft 365.

Szymon Szczesniak: So, what do you think about all this hype?

Tony Redmond: Well, there’s no doubt that generative AI is going to be important over the next number of years, but I think at the moment we’re right at the top of the hype cycle. And the thing to remember is that all the hype that Microsoft is coming out, I mean, they launched about 170 different Copilots at Ignite a couple of weeks ago. All the hype that Microsoft is coming out with is really only addressing about 20% of the overall Office 365 installed base. They’re the folks who can afford it, people who have got the type of infrastructure and people who have the necessary licenses. So, the rest of the other 80% might be looking at this and saying: “What’s going on?” And, I guess, one of the answers to that question is that we’re seeing the start of generative AI becoming the norm inside office applications. How long will it take before it becomes the norm? Well, how long is a piece of string? We’ll have to wait and see.

Szymon Szczesniak: Okay, so why should we ignore AI?

Tony Redmond: Why should we ignore AI? We should ignore AI unless you think you can use AI, right? And you have to know what that AI is. People, I think, haven’t got their heads around the fact that all of these large language models and such that Microsoft is using are really just language computers. We’ve used numeric computers for years and years and years, so we’re quite familiar with adding, subtracting, and all that stuff, and the manipulation that comes from the ability to be able to manipulate bytes. Right? Now we’re into manipulating words, and that’s what these large language models do. However, they’ve got to have the words to manipulate. That means that people have got to prepare their data. So, the stuff that gets stored inside Microsoft 365 and SharePoint and OneDrive and Teams and Exchange – that’s got to be prepared for use by generative AI. The old adage that “rubbish in equals rubbish out” is true for large language models, as it is for numeric computers. So, there’s a lot of work that’s got to be done. I think some of the demos that Microsoft do – they show extraordinary results. But you got to remember that these demos are being done by people who have rehearsed. They’re using data that’s specially curated to show off the AI, and they’re showing some pretty simple use cases. Now in all of that, they still produce some incredible results. But, before anybody goes and invest in AI, I think they’ve got to have very solid business objectives. They’ve got to have goals that they want to achieve. They’ve got to have measurements for success, and they’ve got to have a Microsoft 365 tenant that’s prepared to use AI. And then they’ve got to have the money that they’re going to have to pay Microsoft for the Copilot licenses, plus any necessary upgrades, let’s say, from Office 365 E3 to Microsoft 365 E3. So, that’s actually quite a lot of work. Once you get that all done, you’re all set.

Szymon Szczesniak: As far as risk assessment is concerned, what would be your suggestion, regarding using Copilot, for the management team?

Tony Redmond: Risk? Well, let’s go back into talking about this notion of a language computer. Generative AI is all about generating information, using the large language models, using this computer, this language computer. But it can only generate from what’s there. Well, it does make things up from time to time, and I can take you through a couple of examples of that. But generally, what Copilot will do is it’s going to take some information that you already have, be it in SharePoint or OneDrive or Teams or Exchange, and it’s going to generate something for us. For example, you’re at a Team’s meeting, or you miss a Team’s meeting, you could then take the transcript that’s generated during the meeting, and you can summarize it. Well, Copilot will summarize it for you. I think that’s a very good use case for something like AI, because it’s able to take all the captions, these live captions that are generated through a meeting – little snippets of information – it’s able to filter all that out, it’s able to find what’s the important things in it, and say: “Okay, here you go, Simon. This is exactly what you missed during the meeting, four bullets.” Now for someone like you, as a CEO of a busy company, getting four bullets instead of having to sit through an hour meeting, that’s gold dust. Because you can then take 30 seconds to look at those bullets, figure out is that good or not, and then go on.

Szymon Szczesniak: But as far as these bullets are the most important part of the meeting, and not something else.

Tony Redmond: Generally speaking, they’re pretty good. It’s pretty good. I’ve got to say my experience of using these recaps, these intelligent recaps, they’re pretty good. They captured the essence. The thing is that one of the things I’ve been saying to people is: “Don’t let AI run the shop”. Human intelligence has got to drive everything. So you, as a CEO, you’ve got to look at your four bullets, but you’ve got to say: “Is anything missing here? I might have expected more. I didn’t get enough information.” And, in that case, you’re going to do one of two things. If you’ve got Copilot, you might go and do some more querying with Copilot to find out some more information that was generated. Maybe somebody’s written up a document about a particular point and you find that. Or if you don’t have Copilot, you’ll do what CEOs have been doing since the dawn of time, which is like calling out to somebody to say: “What the hell happened to that meeting? Tell me about it and why this wasn’t done.” That’s the human driving the conversation.

Szymon Szczesniak: So garbage in, garbage out. It actually processes the information that we already have. It recycles it in some way and then produces something out of it. So, I’m thinking from the CISO perspective.

Tony Redmond: Well, the difficulty here… Remember that one of these language computers, these large language models, it’s all about finding the best next word. Okay, so you’ve got a project. What’s the next best word after that? Well, that depends on context, and that depends on what the user has provided as context, because then that’s done through a thing called a prompt, which the user starts to engage in a conversation with Copilot. If the user doesn’t provide good context, well then the computer is probably not going to come up with a great suggestion for the next word. But if the user provides good context, then the computer will know: “Well, okay, I’ve got to go and find these project documents, and that’s what I’m going to summarize, and that’s what I’m going to create.” For example, a PowerPoint deck with two slides in it, which is the summary of where we’re at right now with this project. That’s the generative part of the AI working. This means a couple of things for an organization. The first thing is that clearly users have got to be trained to prompt the DAI to get good information back. There’s a lot of people out there who can barely manage to do a keyword search with Google, find a soccer match with Google. “Okay, how do I do that?” And it’s taken time for people to really come to grips with using keyword searches. Now, it’s not a simple keyword anymore. You’re going to be having a conversation with the AI. This AI is like a digital assistant, except it’s stupid in many ways. You have got to tell the stupid digital assistant exactly what you want to do. That’s the first thing, we got to help users to do that. The second thing is we got to think about the data that the AI can consume. Now, a couple of years ago, 2015, Microsoft came out with the Delve app. And boy, that caused a whole pile of difficulties. Because all of a sudden, Delve would use the Microsoft Graph with all the information about how people were working with documents, and it used the Graph to say: “Hey, guess what Simon? Here’s these three documents that you might be interested in.” And it obeyed, Delve obeyed all of the access controls that existed within the organization. It only ever showed people what they could see. But sometimes people didn’t have the right access controls on SharePoint sites and OneDrive, and all of a sudden sensitive data emerged. And this caused a lot of organizations to rethink how they managed sensitive data, et cetera, et cetera. We now move on eight years, and we’re moving from an era of where applications are suggesting documents to people, to where they’re going to consume documents. And this becomes a much more serious problem in some ways, because if you’re not careful, Copilot could take the context that you’ve given it in your prompt, and it could find some sensitive information that is available to you, extract that sensitive information, bring it back, and provide it to you in a response. That response might be an email that you’re handcrafting to a customer. And you might do what human beings are prone to do, which is be lazy and look at it and say: “Oh, thank you very much AI. You’ve produced some really nice information for me.” Send. Bang! Sensitive information just gone. And that actually underlines a really important concept, which is that the human is responsible for everything the AI generates. The AI is your stupid digital assistant. And if you had a stupid human assistant, you would check every piece of work they did, right?

Szymon Szczesniak: Exactly.

Tony Redmond: So you’re going to check what the AI does as well. If you don’t, then sensitive data might get leaked.

Szymon Szczesniak: Yeah, so you cannot take everything for granted. That’s the way it works.

Tony Redmond: That’s the way it works. And even some people would say: “You can take sensitivity labels and you can stamp sensitivity labels on really super sensitive, confidential documents”. You know, salary planning for next year – that’s something that everybody wants to see, right? So, I’m going to stamp my Excel worksheet with that – sensitivity labels saying hyper-confidential. I’m going to hope that Copilot (A) doesn’t find that spreadsheet, which it could do, and (B) doesn’t have the right to extract information from that spreadsheet and give it back to the user. There are sensitivity labels that are based on a thing called an access right. If Copilot has the right to extract information from a document, it’s going to use it. Again, that’s going to be part of the planning and that has to be done upfront to say: “You know what? Where are we really going to keep our most sensitive stuff? How are we going to protect our most sensitive stuff? How are we going to make what’s appropriate for reuse? How are we going to coach users in recognizing when sensitive information might be used? And how are we going to tell them what to do if they see something come through?” Because that’s a good opportunity, I think, for IT to get involved and say: “Oh, you know what? We may have a SharePoint site that needs some tweaking for the access controls there.” Or even individual documents. In all of this, by the way, just before people think that I’m being terribly, terribly negative, again – it is the humans in control here. Humans are the ones who set access controls on SharePoint sites and OneDrive accounts. Humans are the ones who stamp documents with sensitivity labels. If humans make mistakes, the AI might expose those mistakes, but it’s not the AI’s fault. The problem is with the humans.

Szymon Szczesniak: Exactly. So it’s a productivity boost, but as you said, it’s a stupid assistant and we have to check everything it produces before it goes live, and we have to make sure that it has access to the information that we want it to have access to, right?

Tony Redmond: Yeah, just saying that back in a slightly different way – I think people will take time to get accustomed to interacting with Copilot, and that will come about through becoming accustomed to producing prompts that generate accurate results. They will then have to become accustomed to dealing with the Copilot responses and understanding how to best use them. They will also have to become accustomed to perhaps removing some information that they’re storing today. Because another thing about generative AI is that if it finds inaccurate information it could use it. Now I don’t know about you, but I have probably some inaccurate information. Articles I wrote maybe four years ago, how accurate are they, when they talk about some feature of Microsoft 365? I may have been discussing a bug that Microsoft fixed two years ago. I may have been discussing a problem that I was the only one in the world that perceived it was a problem. Copilot doesn’t care. If I give it context to, say: “Go find this information and produce something else out of it”, and it finds this inaccurate information and reuses it, whose fault is it? Mine again. So the whole thing is, I think, we’re at the start. It’s going to take us time to become experienced with this stuff, and it’s going to take us time to master it, to really get the benefits of all the productivity advances that people anticipate, that Microsoft is saying is there, and to make it work for the average Office 365 user. Now it’s going to take time.

Szymon Szczesniak: So we talked about productivity. Let’s talk a little bit about focus. Today, we have so many apps. We have a couple of different devices. We get notifications all the time. A lot of people have problems with focus. What’s your take on that?

Tony Redmond: Well, I have problems with focus, like everybody else. As we’re taping this, my iPhone in my pocket is buzzing at me, and I can feel the buzzing.

Szymon Szczesniak: Do you know who is calling you?

Tony Redmond: I don’t know, but I have this almost irresistible temptation to put my hand in my pocket and bring out my iPhone to see what’s happening. So that’s just me and focus. I think everybody’s got to find their own way to preserve focus. I am focused when I write. I focus when I code. I code very badly, but I’m focused. So that’s good. Good focused, bad code. Maybe if I wasn’t so focused that the code would be better. I don’t know. Maybe I should just let Copilot write the code and then it would be great or something like that, but then maybe not. I think the trick is everybody’s got to find their own rhythm. We’ve all got to get particular pieces of work done. I guess it doesn’t really matter how we work, as long as we get that work done. It really does matter. If you were the most focused person on the face of the planet, you were capable of ignoring all the Teams chats, all the email, all the WhatsApp, everything else that could distract you, but you weren’t productive. That’s a different problem. That’s a different conversation you’re going to have with that employee, right?

Szymon Szczesniak: Exactly. We talked about it yesterday.

Tony Redmond: Yeah, exactly. To me, it’s much more important if people get stuff done, then I think it’s up to them to decide how they get stuff done.

Szymon Szczesniak: Unless they work from 9 to 5 and this is how they do it. So if they’re not focused during this time frame, they will not get sh*t done.

Tony Redmond: But if they’re not focused during 9 to 5 and they still get the work done, does that matter to you?

Szymon Szczesniak: If they get the work done – yes, that’s okay. But if they run out of time and they just go home, then…

Tony Redmond: Well, obviously then we’re getting into the other problem area for people. But as I said, I think everybody’s got to find their own rhythm. When you find your own rhythm and you figure out how to do it yourself. As I said to you, I think last night, quite often I sit down on a couch at home with a PC, and I’ve got the news going on on the TV, and I’ll still be able to write. Not sure whether my writing would improve, if I was totally head down and I wasn’t occasionally taking a little bounce up to see what was happening, what the latest tragedy was in the world or whatever. But that’s just me, that’s what I do. So it’s up to everybody to figure out their own way. But there’s no doubt we… computers and computer applications make incessant demand on our focus. Ståle Hansen, who’s a well-known advocate for wellness – I think one of the good points he makes is that the first thing you should do with any new app that you’re going to use is go to the notifications section in the settings and tone them down. Because, by God, one thing an app wants to do is to tell you when it’s busy and it will tell you when it’s busy. Get rid of all the notifications and maybe build it up so you can only get the most essential ones. For example, I do not like getting notifications each time somebody mentions me in a Teams chat. I don’t care. I’ll get back to the chat when I get back to the chat. I don’t need to be said: “Come here, Tony, right now. You’ve been mentioned.”

Szymon Szczesniak: Do you have it switched off?

Tony Redmond: Oh, yes, big time. Oh, yes, I do. Yes. Listen to Ståle.

Szymon Szczesniak: This is why we disagreed on chat because I meant that if the chat is on, if the notifications are on, then it’s…

Tony Redmond: Yeah, we disagree. You advocate not to chat as a corporation, right? And you advocate for all discussions should take place in Teams channels.

Szymon Szczesniak: Yes, or email or Teams calls.

Tony Redmond: Or email, in some way that can be recorded, right?

Szymon Szczesniak: Yeah.

Tony Redmond: I have a slightly different perspective because a lot of the work that I do is with people outside of my tenant. Therefore, almost by necessity, I’m in a chat. I’m in a federated chat. Be it a one-to-one federated chat or in a group chat that’s part of the meeting, and I’m chatting away. That’s where I get a lot of my chat interruptions, and that’s where I would get a lot of notifications that I have now suppressed.

Szymon Szczesniak: Okay, awesome. The most important trait of an IT person?

Tony Redmond: Get stuff done. The ability to get stuff done.

Szymon Szczesniak: Okay. That’s it?

Tony Redmond: Yeah. Because that covers an awful lot. For example, you won’t be able to keep on getting stuff done unless you stay abreast with new technology. If you don’t stay up to date, you’re going to lose your ability to get stuff done. It implies that you have a certain control over yourself because if you don’t have that control, you don’t have the focus, you won’t get stuff done. It implies that you have the ability to work with other people because if you can’t work with other people, you’re not going to get stuff done. At least you might get some stuff done, but any time that you’re in a group or collective environment, you won’t get stuff done. So to me, get stuff done, and maybe to tune it to say get the right stuff done, I think that’s the biggest gift that you can have in the IT environment.

Szymon Szczesniak: Yeah, okay, let me see.

Tony Redmond: You’re writing it down? You’re going to use that now in some upcoming employee reviews: “What’s your ability to get stuff done?”

Szymon Szczesniak: <laughs> You can easily tell this is my first podcast because I have to look at the notes.

Tony Redmond: You do very well.

Szymon Szczesniak: We didn’t discuss it yesterday, but I have a question about the new edition of Exchange on-prem. What do you think this will be and will it have any new features?

Tony Redmond: Well, I can confidently say that it’s going to be called Exchange Server.

Szymon Szczesniak: That’s new! <laughs>

Tony Redmond: I can confidently say that it will be an email server, and I can confidently say that it will run on Windows, and I can confidently say that it will use a subscription model.

Szymon Szczesniak: That’s new.

Tony Redmond: That’s the new part, yes. I think this is reasonable. I think it’s sensible for people that want to keep on using Exchange on-premises. They’re going to have to pay for the privilege and they’ll be paying through the subscription model rather than enterprise agreements or whatever. Microsoft is dealing with a declining base. We don’t know exactly how many Exchange servers are out there. One thing we can say there’s a lot of old Exchange servers out there. There’s a lot of Exchange servers that should be turned off. We know this from some of the attacks. I mean… I can’t think of another instance when the FBI had to step in and patch servers for people in the United States. That was weird. When Microsoft last year announced, or earlier on this year announced that they were going to stop allowing old Exchange servers to transmit email into Exchange Online, they suddenly find out: “Wow, you know what? There are hundreds of Exchange 2007 servers out there sending email to Exchange Online. What’s happening here? Where are these servers? Did somebody forget to turn them off a long time ago?” It’s the same – there’s a lot of Exchange 2010, there’s a lot of Exchange 2013 out there. I think the world is changing. There’s a lot more threat out there than ever before from attackers who do want to compromise people’s IT installations, be them on-prem or in the cloud. And I think we’re heading towards a stage where people are just going to have to stay up to date. Part of that is moving to a subscription model that encourages people to stay up to date. That’s why I think the Exchange guys, that’s the road I think they’re on.

Szymon Szczesniak: As far as I remember, next year Microsoft Exchange Online or EOP will not accept emails that are sent from older Exchange versions, right?

Tony Redmond: It’s already started. 2007, 2010 I believe already.

Szymon Szczesniak: 2013?

Tony Redmond: It’ll get to 2013 next year, yeah. I mean, Microsoft have been very emphatic about this. They said: “You know what? We have a window of servers that we will accept email from, and gradually, over time, we’re going to narrow that window to exclude these old servers.” And that’s just the way it is.

Szymon Szczesniak: Okay. So if we’re talking about cybersecurity, why do you think there’s still so many accounts on Microsoft 365 without MFA enabled?

Tony Redmond: Multifactor authentication – it’s a bit like encrypted emails. I think anybody who’s worked in the email world for a while will probably say: “Yeah, encrypted email is a good idea because it prevents attacks against that email.” But then it’s just too much bother to go and set up and manage. And that’s the same, I think, with MFA. People feel that it is difficult to set up and manage.

Szymon Szczesniak: Is it?

Tony Redmond: Well, to some degree. I think the early days of MFA, if you think about it in Office 365, the classic way it was done is on a per-user basis, using some pretty horrible GUIs, and the MSOL PowerShell module. Now the MSOL PowerShell module is going away, and per-user ID, MFA, I think, is going to go away as well because Microsoft wants to get everybody to use Conditional Access Policies as a way of controlling the flow of connections coming in to Microsoft 365, to be able to analyze those connections as they come in, to make sure they’re coming from the right place, to make sure they’re coming from the right devices, to make sure that they’re going to the right applications, and that the authentication that’s being used, the strength of the authentication, which is very poor if it’s just password, right up to very strong if it’s something like Windows Hello or a FIDO key – to make sure that the appropriate authentication strength is used. They’re on that journey, and they’ve been on that journey for a while. Last year, Alex Weinert, who’s the Vice President for Identity Security and Entra ID, he came and he talked to a conference in Atlanta and he said: “There’s only 26.5% of Office 365 or Microsoft 365 accounts that are secured with MFA, and if we look at administrators, it’s only 36.15%.” That was pretty poor. We’ve been going up a couple of percentage points every year.

Szymon Szczesniak: Everyone who gets hacked, they change the strategy, right?

Tony Redmond: Yeah, I think things have become a lot more secure since basic authentication was removed. That cuts out all the password spray attacks. But now we have other attack vectors opening up. We’ve got the man-in-the-middle attacks, we have token theft attacks, et cetera, et cetera. The next stage of the crusade is now on is: let’s get rid of insecure MFA. Let’s get rid of SMS, the classic thing of sending you a four-character text message saying: “Put in 9-3-1-7 euro sash, or ringing somebody on a phone. That’s all going because it’s susceptible to attack. We are moving much more towards biometrics. We’re moving much more towards the possession of a hardware entity like a FIDO key or the Authenticator app, you’re seeing developments like the Authenticator lite being built into mobile Outlook to encourage people. And just, gradually, what’s happening I think is that Microsoft is removing friction from MFA to make it easier to deploy and easier to manage. Once you get Conditional Access Policies up and running and they work properly – and let me not underestimate the amount of difficulty and hardship and pain that sometimes goes into making a set of Conditional Access Policies work well for an organization – but the point is that once that happens, once you achieve that point where you are managing connections smoothly and securely, with the right level of strength, then they just work. That’s where we’re heading for. It’s just going to take time to get there.

Szymon Szczesniak: Okay, thank you. It was Tony Redmond.

Tony Redmond: Hey. Is that it? <laughs>

Szymon Szczesniak: Yeah, that’s it. It’s 30 minutes. I’ve seen him <points at colleague from CodeTwo> showing me: “Just one more minute to go.” So we’re done. Thank you.

Tony Redmond: Ok, I just got warmed up. <laughs>

Szymon Szczesniak: Thank you. Great job.

Tools for Microsoft 365

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

CodeTwo sp. z o.o. sp. k. is a controller of your personal data.
See our Privacy Policy to learn more.