Nov. 19, 2025
M365 Show - Microsoft 365 Digital Workplace Daily - The Microsoft 365 Agent SDK Is Not Optional
Why DIY Agents Fail in M365 Ecosystems - Identity ≠ checkbox. “App-only” where you need act-as-user breaks permission fidelity, nukes audit trails, and fails review. M365 access is identity-bound (files, chats, calendars, mail). - State is not...
Why DIY Agents Fail in M365 Ecosystems
- Identity ≠ checkbox. “App-only” where you need act-as-user breaks permission fidelity, nukes audit trails, and fails review. M365 access is identity-bound (files, chats, calendars, mail).
- State is not optional. Scaling from a laptop to multiple nodes without shared conversation + turn state causes amnesia: lost clarifications, tool drift, repeated answers.
- Channel chaos. Teams, web, Slack, Outlook all differ (typing, cards, attachments, streaming). Hand-rolled adapters miss protocol semantics → broken UX and support pain.
- Governance cliff. Ignoring Purview/DLP/eDiscovery = automatic “no.” Labels, retention, legal hold must apply to prompts + outputs.
- Orchestrator sprawl. LangChain here, SK there—no standard execution plan, no retries, no observability → fragile systems.
- Compliance gap. Residency, RBAC, tenant boundaries, cross-tenant routing—DIY rarely inherits org posture.
- Debugging despair. No consistent dev tunnel, no end-to-end traces, no channel-aware streaming → ghost bugs and user distrust.
- Auth + Authorization done right
- Built-in sign-in handlers, consent surfaces, token exchange.
- Act-as-user when needed; fall back to app creds when safe.
- Least-privilege, real audit trails, permission fidelity across Graph/SharePoint/Outlook.
- Durable conversation management
- Thread + turn state that survives clusters/load balancers.
- Correlation IDs, shared storage patterns—multi-turn that actually works.
- Activity protocol + real adapters
- Standard message/event/typing/attachment/card types.
- Adapters for Teams, web chat, Slack, Copilot Studio—native behavior without bespoke glue.
- Orchestrator neutrality
- Plug Semantic Kernel, Azure AI Foundry planners, OpenAI, your own stack.
- Prompts/tools as modular units. Swap models/planners without rewrites.
- Streaming awareness
- Auto-detect channel capability → stream tokens where supported, fall back to typing/chunking where not.
- Dev productivity + diagnostics
- VS/VS Code scaffolds, secure dev tunnels, multi-channel playground.
- End-to-end traces, telemetry hooks, correlation IDs for model/tool/channel latency.
- Open-source, free core
- Pay only for your chosen models/search/storage. Python and C# supported.
- Scaffold the agent
- Create an M365 Agent project with the Echo template.
- Run locally → validate activity flow in the playground. Fix env vars/ports/creds first.
- Wire core handlers
- onMembersAdded (greeting), onMessage (routing), onInvoke (cards/actions).
- Add sign-in handler → consent, code exchange, user-scoped token on the turn.
- Register your orchestrator
- Add SK / Azure AI Foundry / OpenAI via DI.
- Keep prompts in files, tools as functions (typed inputs/outputs). Interface-wrap model calls.
- Persist state
- Use turn/conversation state for chat history, tool outputs, correlation IDs.
- Store state outside process for cross-node continuity.
- Register channels via Azure Bot Service
- ABS as broker → one HTTP endpoint, many channels (Teams, web, Copilot Studio).
- Stop doing bespoke sockets.
- Enable streaming
- Flip SDK streaming on; let adapters auto-negotiate. Stream partials where supported; typing/chunks elsewhere.
- Diagnostics
- Playground to simulate channels, inspect headers/tokens.
- Telemetry with correlation IDs across message → model → tools → response.
- Ship a thin slice
- One prompt + one tool. Use act-as-user for Graph, app creds for external.
- Persist tool results; render final Adaptive Card; verify streaming + audit entries.
- Guardrails
- Tool registry with scopes/roles/labels.
- Planner proposes; policy authorizes. Confirmation for risky actions (send mail, post to Teams).
- Enforce DLP/labels before/after tool calls.
- Automate provisioning
- Scripts for ABS, channel registration, app IDs/secrets, env config.
- Commit prompt files, state schema, tool interfaces.
- Entra identity for agents: real principals, act-as-user, auditable actions.
- Purview everywhere: labels/DLP on prompts + outputs; eDiscovery/retention/holds aligned with mail/docs.
- Defender signals: posture + runtime alerts for agentic systems (prompt injection, exfil, anomalous tools).
- Zero-Trust by design: scoped tokens per turn, policy-gated tools, task-adherence checks.
- Compliance automation: retention on conversations, audit logs per channel, legal hold compatible.
- ❌ Hand-rolled adapters → ✅ SDK adapters (Teams/web/Slack/Copilot Studio).
- ❌ Stateless turns → ✅ Persist conversation/turn state (survive failover).
- ❌ Model logic in handlers → ✅ Abstract cognition (swap planners/models freely).
- ❌ App-only everywhere → ✅ Sign-in + act-as-user for Graph-bound actions.
- ❌ Fake streaming → ✅ SDK streaming with graceful fallbacks.
- ❌ Direct sockets per channel → ✅ Azure Bot Service as broker.
- ❌ No governance story → ✅ Register identity, apply Purview/DLP, enable audit day one.
- SDK adapters
- Persistent state
- Orchestrator abstraction
- Sign-in (act-as-user)
- Streaming enabled
- ABS registered
- Purview/DLP wired
- Tool catalogs with policy: scopes/roles/labels; confirmations for risky actions; admins gate exports.
- Planner-led skills with resilience: retries, circuit breakers, idempotent tools; keep CoT private; return
Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-show-podcast--6704921/support.
Follow us on:
Substack
Transcript
1
00:00:00,000 --> 00:00:03,600
You are building custom AI agents for Microsoft 365 the hard way.
2
00:00:03,600 --> 00:00:06,600
That's why they break, stall, and fail security review.
3
00:00:06,600 --> 00:00:09,000
The moment a real user shows up.
4
00:00:09,000 --> 00:00:14,600
The truth, the Microsoft 365 agent SDK isn't optional if you want scale, security, and real multi-channel reach.
5
00:00:14,600 --> 00:00:20,000
You'll learn why custom glue fails, what the SDK gives you out of the box, and exactly how to implement it today.
6
00:00:20,000 --> 00:00:23,100
There's one capability that quietly kills most DIY agents.
7
00:00:23,100 --> 00:00:24,600
I'll reveal it before the end.
8
00:00:24,600 --> 00:00:25,700
Immediate payoff.
9
00:00:25,700 --> 00:00:30,800
You'll leave with a deployable blueprint you can defend to security, ship to teams, and wire to copilot.
10
00:00:30,800 --> 00:00:34,100
Now let's dismantle the common DIY approach quickly.
11
00:00:34,100 --> 00:00:37,900
Why DIY agents fail in M365 ecosystems?
12
00:00:37,900 --> 00:00:45,500
You're treating identity like a checkbox, acting as an app when the action must be as the user destroys permission fidelity,
13
00:00:45,500 --> 00:00:49,100
nukes audit trails, and guarantees a failed review.
14
00:00:49,100 --> 00:00:53,300
In M365 access is identity bound files, chats, calendars, mail.
15
00:00:53,300 --> 00:00:57,900
If your agent uses a blanket service principle, it either over-privileges or gets blocked.
16
00:00:57,900 --> 00:01:01,700
And when auditors ask, "Who accessed this SharePoint file and why?"
17
00:01:01,700 --> 00:01:02,900
Your logs shrug.
18
00:01:02,900 --> 00:01:04,700
That's not governance, that's guesswork.
19
00:01:04,700 --> 00:01:06,300
Now here's where most people mess up.
20
00:01:06,300 --> 00:01:07,300
State.
21
00:01:07,300 --> 00:01:12,800
Your prototype on a laptop, it works once, then you scale to multiple nodes and your multi-turn logic collapses.
22
00:01:12,800 --> 00:01:18,200
Without shared conversation and turn state across instances, clarifications vanish, tool outputs drift,
23
00:01:18,200 --> 00:01:21,100
and the agent repeats itself like a goldfish with amnesia.
24
00:01:21,100 --> 00:01:26,900
Under load, stateless hacks become user-visible bugs, missing context, contradictory answers,
25
00:01:26,900 --> 00:01:29,300
and sorry, what were we talking about?
26
00:01:29,300 --> 00:01:30,900
Energy channel chaos is next.
27
00:01:30,900 --> 00:01:38,200
Teams, web chat, Slack, Outlook, each speaks a different dialect, typing indicators, attachments, cards, streaming.
28
00:01:38,200 --> 00:01:39,700
None of it is consistent.
29
00:01:39,700 --> 00:01:46,400
You handroll adapters, it mostly works, until teams expects activity protocol semantics your adapter never heard of.
30
00:01:46,400 --> 00:01:52,000
The result, broken messages, no streaming, where users expect it, and inconsistent behavior that feels cheap.
31
00:01:52,000 --> 00:01:53,700
Users don't care about your adapter.
32
00:01:53,700 --> 00:01:56,800
They care that the agent behaves like a native citizen everywhere.
33
00:01:56,800 --> 00:02:03,400
Governance cliff, custom bots ignore purview signals, skip DLP enforcement and produce responses, no one can be discovered.
34
00:02:03,400 --> 00:02:05,500
Security says no because they must.
35
00:02:05,500 --> 00:02:10,300
If your agent can't respect sensitivity labels retention and legal hold, it's dead on arrival.
36
00:02:10,300 --> 00:02:14,200
The thing most people miss is that governance isn't a feature you add later.
37
00:02:14,200 --> 00:02:15,600
It's the ground you're standing on.
38
00:02:15,600 --> 00:02:17,300
Build without it and the floor gives way.
39
00:02:17,300 --> 00:02:22,000
Orchestrator sprawl adds entropy, a little length chain here, a bit of semantic kernel there,
40
00:02:22,000 --> 00:02:27,400
Plus bespoke tools duct tape to HTTP calls, no standard execution plan, no uniform retries.
41
00:02:27,400 --> 00:02:31,200
Observability turns into a murder mystery with too many suspects and no timeline.
42
00:02:31,200 --> 00:02:34,900
Swap a model or a planner and you're rewriting the agent, not swapping apart.
43
00:02:34,900 --> 00:02:37,500
That's fragility disguised as flexibility.
44
00:02:37,500 --> 00:02:42,900
Compliance gap, data residency, retention policies, and RBAC don't magically align themselves.
45
00:02:42,900 --> 00:02:46,500
External chats can leak internally if you're rooting ignore tenant boundaries.
46
00:02:46,500 --> 00:02:48,900
Cross tenant scenarios, enjoy the minefield.
47
00:02:48,900 --> 00:02:54,200
If your agent doesn't inherit the org's compliance posture, you're inventing a parallel universe with incompatible laws.
48
00:02:54,200 --> 00:02:57,100
Spoiler alert, that universe never gets production approval.
49
00:02:57,100 --> 00:02:59,800
Debugging despair is the payoff for all of that.
50
00:02:59,800 --> 00:03:04,000
Without a consistent dev tunnel, you're juggling in grogglings and half broken proxies.
51
00:03:04,000 --> 00:03:07,300
Without end to end traces, every failure looks like a ghost.
52
00:03:07,300 --> 00:03:14,500
And channel-aware streaming, if you don't detect capability, you either fake streaming where it doesn't exist or you deprive users where it does.
53
00:03:14,500 --> 00:03:16,700
Both feel wrong, both bleed trust.
54
00:03:16,700 --> 00:03:21,600
The truth DIY in M365 usually means you rebuild plumbing with garden hoses.
55
00:03:21,600 --> 00:03:24,800
You're busy fighting water pressure when you should be designing the brain.
56
00:03:24,800 --> 00:03:32,100
Enter the Microsoft 365 agent SDK, the boring standardized arteries that keep the system alive so you can focus on cognition.
57
00:03:32,100 --> 00:03:39,900
It handles identity properly, persists state across nodes, speaks the activity protocol with real adapters and respects governance by default.
58
00:03:39,900 --> 00:03:43,900
And yes, it's model agnostic, so your orchestrator drama stops being everyone else's problem.
59
00:03:43,900 --> 00:03:51,900
Once you nail the foundation, everything else clicks and what the Microsoft 365 agent SDK actually provides, model agnostic core.
60
00:03:51,900 --> 00:03:53,800
Authentication done right first.
61
00:03:53,800 --> 00:04:00,400
The SDK bakes identity into the activity flow so your agent can act as user when it should and fall back to service credentials when it must.
62
00:04:00,400 --> 00:04:11,100
You get sign-in-handlers that surface a clean consent moment, exchange codes for tokens and hydrate the turn with user-scoped access, graph, share point outlook tied to the actual human.
63
00:04:11,100 --> 00:04:16,500
The benefit is obvious, permission fidelity, real audit trails and least privilege by default.
64
00:04:16,500 --> 00:04:22,500
The thing most people miss is how this unlocks approvals and actions that a faceless app can't perform without over-privileging.
65
00:04:22,500 --> 00:04:27,100
It's not just auth, it's authorization with a conscience. Conversation management next.
66
00:04:27,100 --> 00:04:31,800
The SDK gives you durable session and thread state that survives across clustered nodes.
67
00:04:31,800 --> 00:04:39,300
Turn state shared storage patterns and consistent correlation IDs mean multi-turn doesn't fall apart when a load balancer flips you to another instance.
68
00:04:39,300 --> 00:04:45,100
Clarifications, tool outputs and short term memory persist without you inventing your own sticky session voodoo.
69
00:04:45,100 --> 00:04:49,700
The reason this works is the framework treats conversation as a first class resource.
70
00:04:49,700 --> 00:05:03,700
Your agent stops repeating itself and starts behaving like it knows you because it does across turns, channels and machines. Enter the activity protocol. Think of it as the common language for agents, types for messages, events, typing, attachments, adaptive cards.
71
00:05:03,700 --> 00:05:14,700
So your logic isn't hard wired to a single channel's quirks. The SDK ships adapters for teams, web chat, Slack and co-pilot studio, translating their dialects into the activity model and back out again.
72
00:05:14,700 --> 00:05:25,700
Compare that to bespoke adapters that always miss an edge case, mention entities, file consent flows, live cards, here those semantics are standardized so your agent feels native in every room it enters.
73
00:05:25,700 --> 00:05:34,300
Orchestrator neutrality is where your future self thanks you, plac semantic kernel, Azure AI Foundry Planners, Open AI or your homegrown stack behind a clean interface.
74
00:05:34,300 --> 00:05:42,500
Prompts and tools live in modular units, not smeared across handlers. Swapper model, change a planner, run AB without collapsing your agent.
75
00:05:42,500 --> 00:05:50,900
The SDK doesn't pick winners, it enforces seems so you can. If you remember nothing else, isolate cognition from communication and upgrades stop being rewrites.
76
00:05:50,900 --> 00:06:03,700
Streaming awareness matters because user experience is trust. The SDK detects channel capabilities automatically. If the client supports token streaming, use stream, fast first feedback, partial reasoning, adaptive card finalization.
77
00:06:03,700 --> 00:06:17,300
If it doesn't, you fall back gracefully to typing indicators and chunk messages, no fake streaming hacks, no dead air anxiety. And yes, the same logic covers attachments, cards and suggested actions per channel capability without copy-paste conditionals sprinkled through your code.
78
00:06:17,300 --> 00:06:30,500
Toolkit integration is the boring productivity you actually need. Visual Studio and VS Code scaffolding spins up an agent with a working echo dial tone, dev tunnels expose it safely for real channel testing and diagnostics give you end to end traces.
79
00:06:30,500 --> 00:06:46,100
Request headers tokens present or absent activities in and out. The playground simulates multiple channels so you can see capability differences without running six apps, telemetry hooks emit correlation IDs and timing so you can spot latency in tools versus model calls versus channel IO.
80
00:06:46,100 --> 00:06:56,100
This is how you debug in hours, not in folklore. And since you're about to ask its open source and free. The SDK cost die you pay for downstream services, the models search storage you choose.
81
00:06:56,100 --> 00:07:08,900
That means you inherit enterprise plumbing without surrendering control of your stack, prefer Python this month and see plot for production supported want to pilot open AI then standardized on Azure AI foundry with task adherence and security evaluations.
82
00:07:08,900 --> 00:07:17,300
Swap the orchestrator, keep the agent. The truth, the SDK standardizes identity state protocol and delivery so your code can focus on reasoning and tools.
83
00:07:17,300 --> 00:07:39,300
It's model agnostic by design channel aware by default and governance friendly out of the box great features are cute, these are survival traits now that you know what you get let's talk about how to wire it together so it ships and survives first contact with real users implementation blueprint from zero to multi channel agent start with scaffolding create a new Microsoft 365 agent project with the echo template.
84
00:07:39,300 --> 00:07:52,100
That's your dial tone a guaranteed lights on signal that channel wiring and activity flow are alive run it locally and open the playground send a message if you don't get a response here stop fix environment variables ports and credentials before adding any intelligence.
85
00:07:52,100 --> 00:08:07,300
Average users skip this and then blame the model don't be average now root handlers at a join handler to greet users and a message handler to process input filter by activity type first message conversation update invoke and only then by content keep filters declarative and narrow.
86
00:08:07,300 --> 00:08:16,100
You'll also wire a sign in handler that's where the SDK surfaces consent exchanges codes for tokens and hands you a user scoped access token on the turn the benefit.
87
00:08:16,100 --> 00:08:30,300
You can call Microsoft graph as the user without turning your bot into an over privilege service principle. Yes, that's the grown up way orchestrator plug in next register your orchestrator semantic kernel Azure AI foundry open AI through the SDK service collection.
88
00:08:30,300 --> 00:08:42,300
Separate prompts and tools from handlers prompts live in files tools live as functions with explicit inputs and outputs and both are unit testable without channels the shortcut nobody teaches rap model calls behind an interface.
89
00:08:42,300 --> 00:08:58,300
Today it's a chat completion tomorrow. It's a planner the agent shouldn't care your future migrations will thank you state management is where the toy becomes a system use turn state to persist chat history tool outputs and any short term memory you need for multi turn logic store correlation IDs.
90
00:08:58,300 --> 00:09:19,300
So you can trace a single user journey across nodes the thing most people miss is cross node resilience your load balancer will move a conversation mid stream without shared state clarifications evaporate and your agent status with the SDK state patterns it doesn't channel registration is where you stop being a lab project register your agent with azure bot service as the persistent broker.
91
00:09:19,300 --> 00:09:37,300
ABS terminates channel protocols and forwards activities to your single endpoint point teams web chat and co pilot studio at that ABS endpoint one endpoint many channels consistent semantics compare that to custom sockets per channel brittle unobservable and guaranteed to fail during scale testing flip the streaming switch.
92
00:09:37,300 --> 00:10:06,300
Inable streaming responses in the SDK the agent will auto detect channel capabilities if streaming a supported teams playground you'll stream tokens and give instant feedback if not some web clients you'll see typing indicators and chunked sense you don't branch your code per channel the adapter does the civilized thing fast first feedback reduces abandonment and yes you can finalize with an adaptive card without faking anything diagnostics aren't optional use the playground to simulate multiple channels inspect headers confirm tokens are present when you expect actors user
93
00:10:06,300 --> 00:10:35,300
and trace activities end to end turn on telemetry emit correlation ideas from message receipt to model call to tool invocation to response the truth without correlation you're guessing with it you can prove whether lag lives in the model your tool or the network time to wire a simple capability end to end in your message handler pass intent lightly no heroics just enough to root call your orchestrator with a system prompt that sets constraints and a user message that includes prior turn state if the model plans to call a tool execute the tool with user scope tokens when the action is
94
00:10:35,300 --> 00:11:03,300
graph bound or service credentials when it's external and safe right the tool result to turn state stream partial text if supported when complete render a final adaptive card with the structured output at guard rails scope tools by role and data sensitivity a planner can propose calls your agent authorizes them that means verifying audience labels and action limits before execution if a tool wants to send mail require explicit user confirmation if
95
00:11:03,300 --> 00:11:24,300
sharepoint data check sensitivity labels and respect DLP you are not a genie you're an agent with boundaries deploy a minimal slice echo works good at one tool and one prompt exercise in playground web chat and teams via a B s verify streaming where supported verify act as user flows and audit entries big these checks into your definition of done
96
00:11:24,300 --> 00:11:40,300
only then add more tools more prompt and richer reasoning finally package repeat ability creates scripts that provision the ABS resource register channels configure app IDs and set environment variables commit your prompt files state schema and tool interfaces the outcome is simple a multi channel
97
00:11:40,300 --> 00:11:52,300
stateful identity correct agent that debugs cleanly and survives load now we can talk about security gates because that's the door you actually have to open security compliance and governance why the SDK is non optional
98
00:11:52,300 --> 00:12:03,300
pass enterprise gates by vibes you pass with identity auditability and enforceable policy the SDK hard wires those into your agent so you stop negotiating with security and start inheriting their controls start with
99
00:12:03,300 --> 00:12:20,300
identity for agents it's not some app registration it's a unified identity model where the agent has its own persona can act as user with explicit consent and leaves an audit trail that maps every action to a principle acting as the user means permission fidelity mail calendar sharepoint
100
00:12:20,300 --> 00:12:39,300
teams exactly what that human can do nothing more least privilege isn't a slogan here it's how tokens are minted and scoped on every turn when compliance asks who access this file under whose authority and when you have a deterministic answer because the SDK threats that identity through the activity flow now purview integration
101
00:12:39,300 --> 00:12:49,300
this is where most DIY builds fall off a cliff prompts and responses are content content has labels retention and legal obligations purview enforced classification and DLP can evaluate a
102
00:12:49,300 --> 00:12:57,300
inputs and outputs in real time blocking sensitive leaks honoring sensitivity labels and ensuring generated text doesn't violate policy
103
00:12:57,300 --> 00:13:09,300
e discovery alignment means your agents conversations and artifacts can be discovered placed on legal hold and exported under the exact same controls as mail and documents the thing most people miss is that purview isn't a bolt on in the Microsoft
104
00:13:09,300 --> 00:13:22,300
estate it's the nervous system the SDK roads signals so labels retention and access decisions apply without you writing bespoke reject filters that break on day two enter defender for cloud with AI aware detections
105
00:13:22,300 --> 00:13:36,300
yes jail breaks prompt injections and data expel antipytheticals their Tuesday defender provides posture recommendations and runtime alerts tailored to agentic systems that means you get telemetry that recognizes suspicious tool invocation patterns
106
00:13:36,300 --> 00:13:51,300
anomalous output spikes and token misuse backed by threat intelligence you'll never reproduce in house DIY security engineering pretends it can watch everything the SDK taps the existing watchtowers that already monitor your tenant zero trust for agents isn't a presentation slide
107
00:13:51,300 --> 00:14:07,300
it's the operating mode identity bound actions scope limited tools and task adherence checks in Azure AI foundry constrained the agent's behavior a plan I can suggest an action your policy decides if the agent may execute it for whom and with which token tools operate inside
108
00:14:07,300 --> 00:14:17,300
permission envelopes read only where required explicit confirmation gates for risky operations and hard blocks against crossing tenants or labels the reason this works is simple tokens are the
109
00:14:17,300 --> 00:14:31,300
authority and the SDK controls when and how they're issued and used compliance automation is where you save calendar quarters retention policies apply to conversations audit logs capture who did what when and through which channel legal hold can freeze relevant
110
00:14:31,300 --> 00:14:40,300
interactions without you inventing a parallel archive you're not rebuilding controls you're inheriting them compare that to custom agents that dump logs into a table and call it
111
00:14:40,300 --> 00:14:53,300
client your auditors won't be charmed by Jason the risk delta versus custom is not subtle DIY means months of designing identity flows writing token exchanges bolting on content scanning inventing redaction rules and trying to map outputs to
112
00:14:53,300 --> 00:15:07,300
e discovery then you spend more months proving to security that it works under load across channels and in adversarial scenarios with the SDK you start with defaults that mirror the Microsoft 365 security posture you already run day one you have traceability policy
113
00:15:07,300 --> 00:15:21,300
enforcement and channel aware activity semantics that passed the first sniff test the difference is the inheritance model your agent lives inside the enterprise guard rails instead of oscillating just outside them governance at scale is where projects either become platforms or die centralized
114
00:15:21,300 --> 00:15:35,300
admin control gives it a single place to see agents manage identities or take secrets and apply policies approval flows can get new tools new channels and new scopes policy inheritance means if your orc tightens DLP or revise is retention your agent adapts without a
115
00:15:35,300 --> 00:15:44,300
refactor or wide visibility across teams web and co pilot lets you answer the only question executives care about what are these agents doing in our tenant with
116
00:15:44,300 --> 00:15:57,300
telemetry you can correlate channel events agents steps and model calls under one roof and you can redact sensitive fragments before logs leave the enclave before we continue you need to understand the political reality security never says yes to bespoke a
117
00:15:57,300 --> 00:16:09,300
systems that can't prove identity fidelity content governance and operational observability from day one they'll stall you and they'll be right the SDK isn't optional because it converts those debates into configuration you wire sign in
118
00:16:09,300 --> 00:16:22,300
handlers you inherit least privilege you register through as your bot service you inherit channel controls your surface content via the activity protocol purview and DLP can see an act on it you don't plead your case you
119
00:16:22,300 --> 00:16:37,300
demonstrated if you remember nothing else identity content protection and threat monitoring must be first class citizens in your agent the SDK makes them boring and automatic your custom code should focus on reasoning and tools not reinventing compliance now let's talk about the
120
00:16:37,300 --> 00:17:02,300
ways teams still sabotage themselves and how to avoid that slow motion disaster common pitfalls and how to avoid them building your own channel adapters is the fastest way to reinvent the wheel as a triangle the activity protocol already defines messages events typing attachments and cards use the SDK adapters for teams web chat slack and co pilot studio you'll get consistent semantics file consent flows and capability detection without a
121
00:17:02,300 --> 00:17:25,300
block of edge cases you'll never finish treating agents as stateless is next level sabotage multi turn requires memory persist conversation threats and turn state using the SDK patterns so clarifications to results and correlation IDs survive failover and load balancing the truth without shared state your smart agent develops retrograde amnesia every time traffic spikes hard coding model logic into handlers clues cognition to transport
122
00:17:25,300 --> 00:17:55,260
isolate prompts and tools behind interfaces the SDK can register that way you can swap semantic kernel for azure a i found replaners test open a diverse another provider or a B system prompts without ripping out your rooting and state code upgrades should feel like changing a blade not disassembling the plane mid flight skipping user out and running everything as a service principle flat and permissions and kills auditability implement sign in handler so your agent can act as user when touching graph bound assets and only fall back to apt tokens for non user operations you'll put the
123
00:17:55,260 --> 00:18:25,220
past least privilege checks and finally answer who did what when and under whose authority ignoring streaming semantics produces a UI that feels laggy and amateur enable streaming in the SDK so channels that supported show real time progress and channels that don't gracefully show typing indicators and chunked sense don't fake streaming users notice and trust evaporates bypassing azure board service to wire direct sockets per channel multiplies failure modes ABS is the persistent broker that terminates protocols normalizes activities and points many channels
124
00:18:25,220 --> 00:18:41,620
to one endpoint use it your ops team will thank you when messages root reliably during scale tests instead of vanishing into bespoke socket purgatory no governance story equals shadow agents register identities apply purview and dLP policies and light up audit logs from day one if your compliance team can't
125
00:18:41,620 --> 00:19:11,540
be discovered conversations or see label enforcement on outputs your rollout is already over the game changer nobody talks about is that governance isn't later it's the door to production now here's the checklist you actually run use SDK adapters persist state abstract cognition implement sign in enable streaming register through ABS and wire purview dLP do that and the common traps stop being your traps advance patterns scale extensibility and real enterprise use tool catalogs are
126
00:19:11,540 --> 00:19:29,940
how you keep power without chaos define tools with scopes roles and data sensitivity tears a planer proposes your policy approves based on audience label and action map read calendar to most users sent mail to owners with explicit confirmation and export records to admins only tools live in a registry the agent never free
127
00:19:29,940 --> 00:19:40,140
ranges skill composition moves you beyond single turn party tricks use planar led sequences with retries and circuit breakers at the orchestrator edge external tools fail that's their hobby
128
00:19:40,140 --> 00:20:10,060
wrap them with a damp put in designs and exponential back off keep chain of thought private return summarized rational not raw reasoning you want transparency not prompt leak therapy cross tenant exposure demands paranoia with instrumentation for unauthenticated or B2B scenarios run monitor sessions with rate limits content classification and purview oversight on inputs and outputs identity gates actions anonymous sessions read public docs not private mail every external turn emits auditable events or it doesn't ship
129
00:20:10,060 --> 00:20:17,260
observability is non-negotiable correlate channel events agent steps model calls and tool invocations with a single trace ID
130
00:20:17,260 --> 00:20:32,700
redact sensitive fragments at the edge before logs leave the enclave dashboards should answer three questions instantly where time went where errors originated and who was authorized to do what if you can't see it you can't scale it migration from teams effects there's a path start by
131
00:20:32,700 --> 00:20:46,140
fronting your existing bot with a bs if it isn't already incrementally replace custom adapters with SDK adapters move state into SDK turn state patterns and isolate cognition behind interfaces use SDK templates to stand up parallel roots and switch traffic
132
00:20:46,140 --> 00:20:55,860
gradually the deprecation clock won't wait your refactor plan shouldn't either cost governance matters when your CFO learns what context window costs cash embeddings did you
133
00:20:55,860 --> 00:21:08,660
retrieval and reuse short term context across turns throttle tool calls with back off and cap generations with sane token budgets per intent the short cut nobody teaches classify requests early and root FAQ
134
00:21:08,660 --> 00:21:18,740
great prompts to cheaper models without touching premium planners resilience under load is design not luck use session stickiness were available but assume you'll switch nodes mid turn
135
00:21:18,740 --> 00:21:29,740
that's why state lives outside process make tools i'd important with request ideas so rich trees don't double charge credit cards or recent emails concurrency guards stop two turns from stopping the same resource
136
00:21:29,740 --> 00:21:45,140
tests should simulate burst traffic partial outages and slow dependencies because production will once you nail catalogs composition cross tenant controls observability migration hygiene cost levers and resilience your agent stops being a demo and becomes infrastructure
137
00:21:45,140 --> 00:22:02,740
and yes this is exactly where the SDK earns its keep standardized identity state protocol and channel semantics so your advance patterns sit on bedrock not on vibes the silent killer state identity and channel semantics you can fake promise you can't fake identity bound actions under load across channels
138
00:22:02,740 --> 00:22:13,540
without use of scope tokens your agent either over reaches or gets blocked and your audit trail goes blind without shared conversation state multi turn logic fractures the moment a load balancer does its job
139
00:22:13,540 --> 00:22:30,440
without channel delivery streaming cards and typing semantics degrade into random behavior the SDK solves these three constraints by design act as user with audit ability persist multi turn across nodes and adapt to channel capabilities automatically that's the piece everyone misses while hand wiring LLM calls
140
00:22:30,440 --> 00:22:43,020
ship cognition on bedrock not on vibes or production will teach you the lesson expensively key takeaway in m365 security identity fidelity and multi channel behavior aren't features they're the table stakes the agent
141
00:22:43,020 --> 00:22:53,120
SDK delivers by default next step scaffolding agent wire sign in handlers for act as user register with Azure bought service and light up teams and co pilot with streaming enabled and state
142
00:22:53,120 --> 00:23:01,740
persisted if this made you faster and safer subscribe listen the next podcast on purview enforced AI guard rails so your outputs respect labels DLP and e
143
00:23:01,740 --> 00:23:04,120
discovery from day one your compliance team won't just
00:00:00,000 --> 00:00:03,600
You are building custom AI agents for Microsoft 365 the hard way.
2
00:00:03,600 --> 00:00:06,600
That's why they break, stall, and fail security review.
3
00:00:06,600 --> 00:00:09,000
The moment a real user shows up.
4
00:00:09,000 --> 00:00:14,600
The truth, the Microsoft 365 agent SDK isn't optional if you want scale, security, and real multi-channel reach.
5
00:00:14,600 --> 00:00:20,000
You'll learn why custom glue fails, what the SDK gives you out of the box, and exactly how to implement it today.
6
00:00:20,000 --> 00:00:23,100
There's one capability that quietly kills most DIY agents.
7
00:00:23,100 --> 00:00:24,600
I'll reveal it before the end.
8
00:00:24,600 --> 00:00:25,700
Immediate payoff.
9
00:00:25,700 --> 00:00:30,800
You'll leave with a deployable blueprint you can defend to security, ship to teams, and wire to copilot.
10
00:00:30,800 --> 00:00:34,100
Now let's dismantle the common DIY approach quickly.
11
00:00:34,100 --> 00:00:37,900
Why DIY agents fail in M365 ecosystems?
12
00:00:37,900 --> 00:00:45,500
You're treating identity like a checkbox, acting as an app when the action must be as the user destroys permission fidelity,
13
00:00:45,500 --> 00:00:49,100
nukes audit trails, and guarantees a failed review.
14
00:00:49,100 --> 00:00:53,300
In M365 access is identity bound files, chats, calendars, mail.
15
00:00:53,300 --> 00:00:57,900
If your agent uses a blanket service principle, it either over-privileges or gets blocked.
16
00:00:57,900 --> 00:01:01,700
And when auditors ask, "Who accessed this SharePoint file and why?"
17
00:01:01,700 --> 00:01:02,900
Your logs shrug.
18
00:01:02,900 --> 00:01:04,700
That's not governance, that's guesswork.
19
00:01:04,700 --> 00:01:06,300
Now here's where most people mess up.
20
00:01:06,300 --> 00:01:07,300
State.
21
00:01:07,300 --> 00:01:12,800
Your prototype on a laptop, it works once, then you scale to multiple nodes and your multi-turn logic collapses.
22
00:01:12,800 --> 00:01:18,200
Without shared conversation and turn state across instances, clarifications vanish, tool outputs drift,
23
00:01:18,200 --> 00:01:21,100
and the agent repeats itself like a goldfish with amnesia.
24
00:01:21,100 --> 00:01:26,900
Under load, stateless hacks become user-visible bugs, missing context, contradictory answers,
25
00:01:26,900 --> 00:01:29,300
and sorry, what were we talking about?
26
00:01:29,300 --> 00:01:30,900
Energy channel chaos is next.
27
00:01:30,900 --> 00:01:38,200
Teams, web chat, Slack, Outlook, each speaks a different dialect, typing indicators, attachments, cards, streaming.
28
00:01:38,200 --> 00:01:39,700
None of it is consistent.
29
00:01:39,700 --> 00:01:46,400
You handroll adapters, it mostly works, until teams expects activity protocol semantics your adapter never heard of.
30
00:01:46,400 --> 00:01:52,000
The result, broken messages, no streaming, where users expect it, and inconsistent behavior that feels cheap.
31
00:01:52,000 --> 00:01:53,700
Users don't care about your adapter.
32
00:01:53,700 --> 00:01:56,800
They care that the agent behaves like a native citizen everywhere.
33
00:01:56,800 --> 00:02:03,400
Governance cliff, custom bots ignore purview signals, skip DLP enforcement and produce responses, no one can be discovered.
34
00:02:03,400 --> 00:02:05,500
Security says no because they must.
35
00:02:05,500 --> 00:02:10,300
If your agent can't respect sensitivity labels retention and legal hold, it's dead on arrival.
36
00:02:10,300 --> 00:02:14,200
The thing most people miss is that governance isn't a feature you add later.
37
00:02:14,200 --> 00:02:15,600
It's the ground you're standing on.
38
00:02:15,600 --> 00:02:17,300
Build without it and the floor gives way.
39
00:02:17,300 --> 00:02:22,000
Orchestrator sprawl adds entropy, a little length chain here, a bit of semantic kernel there,
40
00:02:22,000 --> 00:02:27,400
Plus bespoke tools duct tape to HTTP calls, no standard execution plan, no uniform retries.
41
00:02:27,400 --> 00:02:31,200
Observability turns into a murder mystery with too many suspects and no timeline.
42
00:02:31,200 --> 00:02:34,900
Swap a model or a planner and you're rewriting the agent, not swapping apart.
43
00:02:34,900 --> 00:02:37,500
That's fragility disguised as flexibility.
44
00:02:37,500 --> 00:02:42,900
Compliance gap, data residency, retention policies, and RBAC don't magically align themselves.
45
00:02:42,900 --> 00:02:46,500
External chats can leak internally if you're rooting ignore tenant boundaries.
46
00:02:46,500 --> 00:02:48,900
Cross tenant scenarios, enjoy the minefield.
47
00:02:48,900 --> 00:02:54,200
If your agent doesn't inherit the org's compliance posture, you're inventing a parallel universe with incompatible laws.
48
00:02:54,200 --> 00:02:57,100
Spoiler alert, that universe never gets production approval.
49
00:02:57,100 --> 00:02:59,800
Debugging despair is the payoff for all of that.
50
00:02:59,800 --> 00:03:04,000
Without a consistent dev tunnel, you're juggling in grogglings and half broken proxies.
51
00:03:04,000 --> 00:03:07,300
Without end to end traces, every failure looks like a ghost.
52
00:03:07,300 --> 00:03:14,500
And channel-aware streaming, if you don't detect capability, you either fake streaming where it doesn't exist or you deprive users where it does.
53
00:03:14,500 --> 00:03:16,700
Both feel wrong, both bleed trust.
54
00:03:16,700 --> 00:03:21,600
The truth DIY in M365 usually means you rebuild plumbing with garden hoses.
55
00:03:21,600 --> 00:03:24,800
You're busy fighting water pressure when you should be designing the brain.
56
00:03:24,800 --> 00:03:32,100
Enter the Microsoft 365 agent SDK, the boring standardized arteries that keep the system alive so you can focus on cognition.
57
00:03:32,100 --> 00:03:39,900
It handles identity properly, persists state across nodes, speaks the activity protocol with real adapters and respects governance by default.
58
00:03:39,900 --> 00:03:43,900
And yes, it's model agnostic, so your orchestrator drama stops being everyone else's problem.
59
00:03:43,900 --> 00:03:51,900
Once you nail the foundation, everything else clicks and what the Microsoft 365 agent SDK actually provides, model agnostic core.
60
00:03:51,900 --> 00:03:53,800
Authentication done right first.
61
00:03:53,800 --> 00:04:00,400
The SDK bakes identity into the activity flow so your agent can act as user when it should and fall back to service credentials when it must.
62
00:04:00,400 --> 00:04:11,100
You get sign-in-handlers that surface a clean consent moment, exchange codes for tokens and hydrate the turn with user-scoped access, graph, share point outlook tied to the actual human.
63
00:04:11,100 --> 00:04:16,500
The benefit is obvious, permission fidelity, real audit trails and least privilege by default.
64
00:04:16,500 --> 00:04:22,500
The thing most people miss is how this unlocks approvals and actions that a faceless app can't perform without over-privileging.
65
00:04:22,500 --> 00:04:27,100
It's not just auth, it's authorization with a conscience. Conversation management next.
66
00:04:27,100 --> 00:04:31,800
The SDK gives you durable session and thread state that survives across clustered nodes.
67
00:04:31,800 --> 00:04:39,300
Turn state shared storage patterns and consistent correlation IDs mean multi-turn doesn't fall apart when a load balancer flips you to another instance.
68
00:04:39,300 --> 00:04:45,100
Clarifications, tool outputs and short term memory persist without you inventing your own sticky session voodoo.
69
00:04:45,100 --> 00:04:49,700
The reason this works is the framework treats conversation as a first class resource.
70
00:04:49,700 --> 00:05:03,700
Your agent stops repeating itself and starts behaving like it knows you because it does across turns, channels and machines. Enter the activity protocol. Think of it as the common language for agents, types for messages, events, typing, attachments, adaptive cards.
71
00:05:03,700 --> 00:05:14,700
So your logic isn't hard wired to a single channel's quirks. The SDK ships adapters for teams, web chat, Slack and co-pilot studio, translating their dialects into the activity model and back out again.
72
00:05:14,700 --> 00:05:25,700
Compare that to bespoke adapters that always miss an edge case, mention entities, file consent flows, live cards, here those semantics are standardized so your agent feels native in every room it enters.
73
00:05:25,700 --> 00:05:34,300
Orchestrator neutrality is where your future self thanks you, plac semantic kernel, Azure AI Foundry Planners, Open AI or your homegrown stack behind a clean interface.
74
00:05:34,300 --> 00:05:42,500
Prompts and tools live in modular units, not smeared across handlers. Swapper model, change a planner, run AB without collapsing your agent.
75
00:05:42,500 --> 00:05:50,900
The SDK doesn't pick winners, it enforces seems so you can. If you remember nothing else, isolate cognition from communication and upgrades stop being rewrites.
76
00:05:50,900 --> 00:06:03,700
Streaming awareness matters because user experience is trust. The SDK detects channel capabilities automatically. If the client supports token streaming, use stream, fast first feedback, partial reasoning, adaptive card finalization.
77
00:06:03,700 --> 00:06:17,300
If it doesn't, you fall back gracefully to typing indicators and chunk messages, no fake streaming hacks, no dead air anxiety. And yes, the same logic covers attachments, cards and suggested actions per channel capability without copy-paste conditionals sprinkled through your code.
78
00:06:17,300 --> 00:06:30,500
Toolkit integration is the boring productivity you actually need. Visual Studio and VS Code scaffolding spins up an agent with a working echo dial tone, dev tunnels expose it safely for real channel testing and diagnostics give you end to end traces.
79
00:06:30,500 --> 00:06:46,100
Request headers tokens present or absent activities in and out. The playground simulates multiple channels so you can see capability differences without running six apps, telemetry hooks emit correlation IDs and timing so you can spot latency in tools versus model calls versus channel IO.
80
00:06:46,100 --> 00:06:56,100
This is how you debug in hours, not in folklore. And since you're about to ask its open source and free. The SDK cost die you pay for downstream services, the models search storage you choose.
81
00:06:56,100 --> 00:07:08,900
That means you inherit enterprise plumbing without surrendering control of your stack, prefer Python this month and see plot for production supported want to pilot open AI then standardized on Azure AI foundry with task adherence and security evaluations.
82
00:07:08,900 --> 00:07:17,300
Swap the orchestrator, keep the agent. The truth, the SDK standardizes identity state protocol and delivery so your code can focus on reasoning and tools.
83
00:07:17,300 --> 00:07:39,300
It's model agnostic by design channel aware by default and governance friendly out of the box great features are cute, these are survival traits now that you know what you get let's talk about how to wire it together so it ships and survives first contact with real users implementation blueprint from zero to multi channel agent start with scaffolding create a new Microsoft 365 agent project with the echo template.
84
00:07:39,300 --> 00:07:52,100
That's your dial tone a guaranteed lights on signal that channel wiring and activity flow are alive run it locally and open the playground send a message if you don't get a response here stop fix environment variables ports and credentials before adding any intelligence.
85
00:07:52,100 --> 00:08:07,300
Average users skip this and then blame the model don't be average now root handlers at a join handler to greet users and a message handler to process input filter by activity type first message conversation update invoke and only then by content keep filters declarative and narrow.
86
00:08:07,300 --> 00:08:16,100
You'll also wire a sign in handler that's where the SDK surfaces consent exchanges codes for tokens and hands you a user scoped access token on the turn the benefit.
87
00:08:16,100 --> 00:08:30,300
You can call Microsoft graph as the user without turning your bot into an over privilege service principle. Yes, that's the grown up way orchestrator plug in next register your orchestrator semantic kernel Azure AI foundry open AI through the SDK service collection.
88
00:08:30,300 --> 00:08:42,300
Separate prompts and tools from handlers prompts live in files tools live as functions with explicit inputs and outputs and both are unit testable without channels the shortcut nobody teaches rap model calls behind an interface.
89
00:08:42,300 --> 00:08:58,300
Today it's a chat completion tomorrow. It's a planner the agent shouldn't care your future migrations will thank you state management is where the toy becomes a system use turn state to persist chat history tool outputs and any short term memory you need for multi turn logic store correlation IDs.
90
00:08:58,300 --> 00:09:19,300
So you can trace a single user journey across nodes the thing most people miss is cross node resilience your load balancer will move a conversation mid stream without shared state clarifications evaporate and your agent status with the SDK state patterns it doesn't channel registration is where you stop being a lab project register your agent with azure bot service as the persistent broker.
91
00:09:19,300 --> 00:09:37,300
ABS terminates channel protocols and forwards activities to your single endpoint point teams web chat and co pilot studio at that ABS endpoint one endpoint many channels consistent semantics compare that to custom sockets per channel brittle unobservable and guaranteed to fail during scale testing flip the streaming switch.
92
00:09:37,300 --> 00:10:06,300
Inable streaming responses in the SDK the agent will auto detect channel capabilities if streaming a supported teams playground you'll stream tokens and give instant feedback if not some web clients you'll see typing indicators and chunked sense you don't branch your code per channel the adapter does the civilized thing fast first feedback reduces abandonment and yes you can finalize with an adaptive card without faking anything diagnostics aren't optional use the playground to simulate multiple channels inspect headers confirm tokens are present when you expect actors user
93
00:10:06,300 --> 00:10:35,300
and trace activities end to end turn on telemetry emit correlation ideas from message receipt to model call to tool invocation to response the truth without correlation you're guessing with it you can prove whether lag lives in the model your tool or the network time to wire a simple capability end to end in your message handler pass intent lightly no heroics just enough to root call your orchestrator with a system prompt that sets constraints and a user message that includes prior turn state if the model plans to call a tool execute the tool with user scope tokens when the action is
94
00:10:35,300 --> 00:11:03,300
graph bound or service credentials when it's external and safe right the tool result to turn state stream partial text if supported when complete render a final adaptive card with the structured output at guard rails scope tools by role and data sensitivity a planner can propose calls your agent authorizes them that means verifying audience labels and action limits before execution if a tool wants to send mail require explicit user confirmation if
95
00:11:03,300 --> 00:11:24,300
sharepoint data check sensitivity labels and respect DLP you are not a genie you're an agent with boundaries deploy a minimal slice echo works good at one tool and one prompt exercise in playground web chat and teams via a B s verify streaming where supported verify act as user flows and audit entries big these checks into your definition of done
96
00:11:24,300 --> 00:11:40,300
only then add more tools more prompt and richer reasoning finally package repeat ability creates scripts that provision the ABS resource register channels configure app IDs and set environment variables commit your prompt files state schema and tool interfaces the outcome is simple a multi channel
97
00:11:40,300 --> 00:11:52,300
stateful identity correct agent that debugs cleanly and survives load now we can talk about security gates because that's the door you actually have to open security compliance and governance why the SDK is non optional
98
00:11:52,300 --> 00:12:03,300
pass enterprise gates by vibes you pass with identity auditability and enforceable policy the SDK hard wires those into your agent so you stop negotiating with security and start inheriting their controls start with
99
00:12:03,300 --> 00:12:20,300
identity for agents it's not some app registration it's a unified identity model where the agent has its own persona can act as user with explicit consent and leaves an audit trail that maps every action to a principle acting as the user means permission fidelity mail calendar sharepoint
100
00:12:20,300 --> 00:12:39,300
teams exactly what that human can do nothing more least privilege isn't a slogan here it's how tokens are minted and scoped on every turn when compliance asks who access this file under whose authority and when you have a deterministic answer because the SDK threats that identity through the activity flow now purview integration
101
00:12:39,300 --> 00:12:49,300
this is where most DIY builds fall off a cliff prompts and responses are content content has labels retention and legal obligations purview enforced classification and DLP can evaluate a
102
00:12:49,300 --> 00:12:57,300
inputs and outputs in real time blocking sensitive leaks honoring sensitivity labels and ensuring generated text doesn't violate policy
103
00:12:57,300 --> 00:13:09,300
e discovery alignment means your agents conversations and artifacts can be discovered placed on legal hold and exported under the exact same controls as mail and documents the thing most people miss is that purview isn't a bolt on in the Microsoft
104
00:13:09,300 --> 00:13:22,300
estate it's the nervous system the SDK roads signals so labels retention and access decisions apply without you writing bespoke reject filters that break on day two enter defender for cloud with AI aware detections
105
00:13:22,300 --> 00:13:36,300
yes jail breaks prompt injections and data expel antipytheticals their Tuesday defender provides posture recommendations and runtime alerts tailored to agentic systems that means you get telemetry that recognizes suspicious tool invocation patterns
106
00:13:36,300 --> 00:13:51,300
anomalous output spikes and token misuse backed by threat intelligence you'll never reproduce in house DIY security engineering pretends it can watch everything the SDK taps the existing watchtowers that already monitor your tenant zero trust for agents isn't a presentation slide
107
00:13:51,300 --> 00:14:07,300
it's the operating mode identity bound actions scope limited tools and task adherence checks in Azure AI foundry constrained the agent's behavior a plan I can suggest an action your policy decides if the agent may execute it for whom and with which token tools operate inside
108
00:14:07,300 --> 00:14:17,300
permission envelopes read only where required explicit confirmation gates for risky operations and hard blocks against crossing tenants or labels the reason this works is simple tokens are the
109
00:14:17,300 --> 00:14:31,300
authority and the SDK controls when and how they're issued and used compliance automation is where you save calendar quarters retention policies apply to conversations audit logs capture who did what when and through which channel legal hold can freeze relevant
110
00:14:31,300 --> 00:14:40,300
interactions without you inventing a parallel archive you're not rebuilding controls you're inheriting them compare that to custom agents that dump logs into a table and call it
111
00:14:40,300 --> 00:14:53,300
client your auditors won't be charmed by Jason the risk delta versus custom is not subtle DIY means months of designing identity flows writing token exchanges bolting on content scanning inventing redaction rules and trying to map outputs to
112
00:14:53,300 --> 00:15:07,300
e discovery then you spend more months proving to security that it works under load across channels and in adversarial scenarios with the SDK you start with defaults that mirror the Microsoft 365 security posture you already run day one you have traceability policy
113
00:15:07,300 --> 00:15:21,300
enforcement and channel aware activity semantics that passed the first sniff test the difference is the inheritance model your agent lives inside the enterprise guard rails instead of oscillating just outside them governance at scale is where projects either become platforms or die centralized
114
00:15:21,300 --> 00:15:35,300
admin control gives it a single place to see agents manage identities or take secrets and apply policies approval flows can get new tools new channels and new scopes policy inheritance means if your orc tightens DLP or revise is retention your agent adapts without a
115
00:15:35,300 --> 00:15:44,300
refactor or wide visibility across teams web and co pilot lets you answer the only question executives care about what are these agents doing in our tenant with
116
00:15:44,300 --> 00:15:57,300
telemetry you can correlate channel events agents steps and model calls under one roof and you can redact sensitive fragments before logs leave the enclave before we continue you need to understand the political reality security never says yes to bespoke a
117
00:15:57,300 --> 00:16:09,300
systems that can't prove identity fidelity content governance and operational observability from day one they'll stall you and they'll be right the SDK isn't optional because it converts those debates into configuration you wire sign in
118
00:16:09,300 --> 00:16:22,300
handlers you inherit least privilege you register through as your bot service you inherit channel controls your surface content via the activity protocol purview and DLP can see an act on it you don't plead your case you
119
00:16:22,300 --> 00:16:37,300
demonstrated if you remember nothing else identity content protection and threat monitoring must be first class citizens in your agent the SDK makes them boring and automatic your custom code should focus on reasoning and tools not reinventing compliance now let's talk about the
120
00:16:37,300 --> 00:17:02,300
ways teams still sabotage themselves and how to avoid that slow motion disaster common pitfalls and how to avoid them building your own channel adapters is the fastest way to reinvent the wheel as a triangle the activity protocol already defines messages events typing attachments and cards use the SDK adapters for teams web chat slack and co pilot studio you'll get consistent semantics file consent flows and capability detection without a
121
00:17:02,300 --> 00:17:25,300
block of edge cases you'll never finish treating agents as stateless is next level sabotage multi turn requires memory persist conversation threats and turn state using the SDK patterns so clarifications to results and correlation IDs survive failover and load balancing the truth without shared state your smart agent develops retrograde amnesia every time traffic spikes hard coding model logic into handlers clues cognition to transport
122
00:17:25,300 --> 00:17:55,260
isolate prompts and tools behind interfaces the SDK can register that way you can swap semantic kernel for azure a i found replaners test open a diverse another provider or a B system prompts without ripping out your rooting and state code upgrades should feel like changing a blade not disassembling the plane mid flight skipping user out and running everything as a service principle flat and permissions and kills auditability implement sign in handler so your agent can act as user when touching graph bound assets and only fall back to apt tokens for non user operations you'll put the
123
00:17:55,260 --> 00:18:25,220
past least privilege checks and finally answer who did what when and under whose authority ignoring streaming semantics produces a UI that feels laggy and amateur enable streaming in the SDK so channels that supported show real time progress and channels that don't gracefully show typing indicators and chunked sense don't fake streaming users notice and trust evaporates bypassing azure board service to wire direct sockets per channel multiplies failure modes ABS is the persistent broker that terminates protocols normalizes activities and points many channels
124
00:18:25,220 --> 00:18:41,620
to one endpoint use it your ops team will thank you when messages root reliably during scale tests instead of vanishing into bespoke socket purgatory no governance story equals shadow agents register identities apply purview and dLP policies and light up audit logs from day one if your compliance team can't
125
00:18:41,620 --> 00:19:11,540
be discovered conversations or see label enforcement on outputs your rollout is already over the game changer nobody talks about is that governance isn't later it's the door to production now here's the checklist you actually run use SDK adapters persist state abstract cognition implement sign in enable streaming register through ABS and wire purview dLP do that and the common traps stop being your traps advance patterns scale extensibility and real enterprise use tool catalogs are
126
00:19:11,540 --> 00:19:29,940
how you keep power without chaos define tools with scopes roles and data sensitivity tears a planer proposes your policy approves based on audience label and action map read calendar to most users sent mail to owners with explicit confirmation and export records to admins only tools live in a registry the agent never free
127
00:19:29,940 --> 00:19:40,140
ranges skill composition moves you beyond single turn party tricks use planar led sequences with retries and circuit breakers at the orchestrator edge external tools fail that's their hobby
128
00:19:40,140 --> 00:20:10,060
wrap them with a damp put in designs and exponential back off keep chain of thought private return summarized rational not raw reasoning you want transparency not prompt leak therapy cross tenant exposure demands paranoia with instrumentation for unauthenticated or B2B scenarios run monitor sessions with rate limits content classification and purview oversight on inputs and outputs identity gates actions anonymous sessions read public docs not private mail every external turn emits auditable events or it doesn't ship
129
00:20:10,060 --> 00:20:17,260
observability is non-negotiable correlate channel events agent steps model calls and tool invocations with a single trace ID
130
00:20:17,260 --> 00:20:32,700
redact sensitive fragments at the edge before logs leave the enclave dashboards should answer three questions instantly where time went where errors originated and who was authorized to do what if you can't see it you can't scale it migration from teams effects there's a path start by
131
00:20:32,700 --> 00:20:46,140
fronting your existing bot with a bs if it isn't already incrementally replace custom adapters with SDK adapters move state into SDK turn state patterns and isolate cognition behind interfaces use SDK templates to stand up parallel roots and switch traffic
132
00:20:46,140 --> 00:20:55,860
gradually the deprecation clock won't wait your refactor plan shouldn't either cost governance matters when your CFO learns what context window costs cash embeddings did you
133
00:20:55,860 --> 00:21:08,660
retrieval and reuse short term context across turns throttle tool calls with back off and cap generations with sane token budgets per intent the short cut nobody teaches classify requests early and root FAQ
134
00:21:08,660 --> 00:21:18,740
great prompts to cheaper models without touching premium planners resilience under load is design not luck use session stickiness were available but assume you'll switch nodes mid turn
135
00:21:18,740 --> 00:21:29,740
that's why state lives outside process make tools i'd important with request ideas so rich trees don't double charge credit cards or recent emails concurrency guards stop two turns from stopping the same resource
136
00:21:29,740 --> 00:21:45,140
tests should simulate burst traffic partial outages and slow dependencies because production will once you nail catalogs composition cross tenant controls observability migration hygiene cost levers and resilience your agent stops being a demo and becomes infrastructure
137
00:21:45,140 --> 00:22:02,740
and yes this is exactly where the SDK earns its keep standardized identity state protocol and channel semantics so your advance patterns sit on bedrock not on vibes the silent killer state identity and channel semantics you can fake promise you can't fake identity bound actions under load across channels
138
00:22:02,740 --> 00:22:13,540
without use of scope tokens your agent either over reaches or gets blocked and your audit trail goes blind without shared conversation state multi turn logic fractures the moment a load balancer does its job
139
00:22:13,540 --> 00:22:30,440
without channel delivery streaming cards and typing semantics degrade into random behavior the SDK solves these three constraints by design act as user with audit ability persist multi turn across nodes and adapt to channel capabilities automatically that's the piece everyone misses while hand wiring LLM calls
140
00:22:30,440 --> 00:22:43,020
ship cognition on bedrock not on vibes or production will teach you the lesson expensively key takeaway in m365 security identity fidelity and multi channel behavior aren't features they're the table stakes the agent
141
00:22:43,020 --> 00:22:53,120
SDK delivers by default next step scaffolding agent wire sign in handlers for act as user register with Azure bought service and light up teams and co pilot with streaming enabled and state
142
00:22:53,120 --> 00:23:01,740
persisted if this made you faster and safer subscribe listen the next podcast on purview enforced AI guard rails so your outputs respect labels DLP and e
143
00:23:01,740 --> 00:23:04,120
discovery from day one your compliance team won't just
