By Åsne Holtklimpen
Another city, another conference where AI is going to “change everything”. ESPC 2025 was off course no exception. The keynote slides promised a future where Copilot does your work, agents run your life and governance magically happens in the background. Spoiler: reality is a little bit more complicated.
Together with my friends and co-workers, I spent three days cutting through the hype to figure out what actually matters for people. Here is the truth, minus the stars and sparkles.
Copilot and Work IQ, what it actually means in practice
Work IQ is not another feel good productivity story, it is Microsoft admitting that nobody trusts marketing slides anymore. The promise is usage signals tied to real work patterns, meetings, documents, collaboration and actual Copilot interactions. If done right, this becomes the first semi honest answer to the question finance has been asking since day one, what are we actually getting for these licences.
For IT this also means something else, visibility into
- where Copilot genuinely saves time
- where it creates more work
- where users avoid it completely
If this data becomes accurate, it will change how rollout decisions are made. It also means some uncomfortable conversations when parts of the organisation discover they are paying for an AI nobody uses.
Agentic mode pushes Copilot from assistant to actor. That is a big mental shift for organisations that still struggle with basic automation trust. The risk is not technical, it is organisational. Once agents can trigger actions across data and systems, governance, approvals and auditability stop being theoretical and become survival tools.
MCP and connectors, the real battlefield for agents
MCP, Model Context Protocol, is Microsoft’s attempt to standardise how AI models talk to tools, APIs and data sources. In plain English, this is the pipe that decides whether your agent can fetch real business data in a controlled way, or whether it starts guessing like a slightly overconfident intern.
Until now, every agent integration has been a custom snowflake. Different auth models, different payload formats, different permission scopes, different failure modes. MCP is meant to bring order to that chaos by defining how context, actions and responses are handed back and forth between the model and your systems.
This matters because agents are only as smart as the data and actions they are allowed to touch. MCP does not make your APIs better. It simply gives the model a cleaner way to expose how bad they already are. If your backend returns inconsistent structures, missing fields and random permissions, MCP will faithfully deliver that mess straight into the reasoning layer.
The uncomfortable truth is this. MCP will separate organisations with disciplined integration design from those who built everything in a hurry and hoped nobody would ever notice. Agents will not fail quietly. They will fail very publicly, and often in front of users.
If you want smart agents, start with boring work. Clean APIs, clear scopes, predictable data, proper documentation. MCP rewards hygiene. It punishes shortcuts at machine speed.
So when to choose MCP and when to choose connectors?
From what I understand, Connectors are for predictable integration. MCP is for dynamic reasoning and action. If your use case is stable and process driven, use connectors. If your use case is contextual, multi step and decision driven, MCP starts to make sense. Using MCP for simple automation is not innovation, it is unnecessary risk.
MCP vs Connectors, the decision table
| Scenario | Use Connector | Use MCP |
|---|---|---|
| Fetch or update data in one system | ✅ | ❌ |
| Power Automate flows and Power Apps | ✅ | ❌ |
| Predictable business processes | ✅ | ❌ |
| Heavy audit and compliance requirements | ✅ | ❌ |
| Multi system reasoning by an agent | ❌ | ✅ |
| Context driven decision making | ❌ | ✅ |
| Semi autonomous or autonomous agents | ❌ | ✅ |
| Dynamic tool selection at runtime | ❌ | ✅ |
Rule of thumb
If you need reliability, auditability and sleep at night, pick connectors. If you need reasoning across systems and accept higher risk, MCP is the valid choice.
And then we have the Agents Toolkit, formerly known as Teams toolkit, because Microsoft having nothing better to do than change names all the time..
Agents Toolkit, the end of friendly fire in app registration
Anyone who has built serious integrations in Entra knows the pain. App registrations, permissions, consent flows, broken Graph calls, half the session spent debugging auth instead of logic. The Agents Toolkit simplifies how agents authenticate and operate across Microsoft 365. That alone will remove a massive barrier for both developers and IT teams.
The real impact is where agents live. When they sit inside Teams, SharePoint and Outlook instead of as separate toys, adoption becomes behavioural, not technical. If users meet agents where work already happens, there is a fighting chance they will actually be used.
Copilot Control System and why admins should be cautiously optimistic
A single governance dashboard sounds like a fairy tale for anyone who lives in the Microsoft portal ecosystem. The promise is policy, access, security posture and usage in one place. If it actually unifies signals across Purview, Entra, Defender and Copilot, it could finally reduce the current state of portal whack a mole.
The risk is that it becomes another surface that depends on ten other workloads being perfectly configured. It will not remove complexity, but it might finally centralise it. That alone would be progress.
I do see a lot of good potential behind the CCS and I have missed having a dashboard to controll Copilot. Im just getting to many dashboards to controll..
Off course we have Agent 365 to controll the agents, and I talked about this in the book of news too, so I will not add much here, but it will hopefully give som more peace of mind for IT admins.. Fingers crossed.
Exposure Management, why this matters more than Secure Score ever did
Secure Score tells you whether you followed Microsoft’s instructions and having 100% on that is nearly impossible, and if you achieve high scores here, end users will not be able to do anything at all….
Exposure Management flips the conversation to real attack paths. Compromised identity, lateral movement, cloud apps, endpoints and privileged access combined into actual exploit chains. This is not about whether a setting is enabled, it is about whether an attacker can move from one weak point to full control in six steps or sixty seconds. It shows how a stolen session token leads to Exchange, which leads to SharePoint, which leads to a misconfigured service principal, which leads to global admin. No colours, no comfort, just the ugly truth of how breaches actually happen.
It also forces uncomfortable prioritisation. You can finally see which misconfiguration is theoretical noise and which one is one password spray away from disaster. That is why this matters more than posture. Attackers do not score your tenant, they walk it. Exposure Management finally shows the map they are using.
Compliance and GenAI
Trying to block consumer AI tools in 2025 is like trying to ban USB sticks in 2008. Visibility wins, control follows. Defender gives you discovery, Purview gives you prevention, Advanced Hunting gives you context. Together they form something close to intelligent guardrails.
This is my heart and soul, and I will go more in to detail on this in a later post. So keep an eye out!
Key takeaways
- Work IQ will expose your Copilot theatre
If Work IQ works as promised, it will show exactly who is using Copilot, where time is saved, where meetings explode, and where licences gather digital dust. Expect awkward reviews when finance discovers that half the organisation uses Copilot only to summarise meetings they never attended. Telemetry does not care about your adoption narrative.
- MCP and connectors will decide if your agents are smart or cosmetic
If your APIs return inconsistent JSON, undocumented fields and random permission scopes, your agents will behave like confused interns. MCP will not rescue bad data design. It will simply make the mess visible faster and in front of more people. If your integration team is allergic to documentation, brace yourself.
- Governance will not become optional just because agents feel magical
Agentic mode means execution, not just assistance. That means someone must approve actions, define scopes, log intent and audit outcomes. If your tenant still lacks conditional access hygiene, privileged identity management discipline and role separation, agents will amplify chaos at machine speed.
- Exposure management beats posture scoring every single time
Secure Score tells you that you ticked the boxes. Exposure Management shows how you get breached anyway. If your identity boundary is weak, a perfect score will not save you. Identity plus endpoint plus cloud app exposure is where real defence starts. Everything else is theatre.
- Security Copilot will not replace analysts, but it will expose weak ones
When Security Copilot starts correlating XDR, Entra, cloud app and identity signals in seconds, the gap between analysts who understand security and those who memorise portal clicks will become painfully obvious. Expect cultural friction. AI does not tolerate shallow expertise.
- Agents Toolkit removes friction, not responsibility
Yes, authentication is simpler. No, that does not mean agents can roam freely. Identity scopes still matter. Data permissions still matter. If your SharePoint libraries are wide open and your labels decorative, agents will faithfully expose exactly what you failed to control.
- Shadow AI does not die by policy, it dies by better tooling
If users can do real work faster with approved Copilot and governed agents, they will abandon browser based toys voluntarily. If your official tools are slow, locked down and bureaucratic, users will simply become more creative in breaking the rules.
- Adoption fails when leadership hides behind comms plans
Usage does not follow roadmaps, it follows behaviour. If senior leaders do not use Copilot in real meetings, real emails and real decision making, nobody else will either. This is not a training problem, it is an ownership problem.
So that was ESPC 2025. Three days of demos, promises and a couple of “Aha”-moments.
The future of work is still Copilot, agents and dashboards that will save us all. In the real world, it is still governance, security and leadership doing the heavy lifting. As always my statement is that AI will not fix bad processes or poor adoption, but it might make the pain slightly more bearable. Until then, keep your scripts sharp, your compliance automated and your sarcasm ready. You are going to need all three.
Author
Discover more from Agder in the cloud
Subscribe to get the latest posts sent to your email.
Therese Lie