Modern Business Solutions: SharePoint & Dynamics 365

Monday, 19 January 2026

Dataverse Benefits and Its Core Features: The Complete Guide for Power Platform Success

What Is Microsoft Dataverse?

Understanding Dataverse benefits and its core features is essential for building secure, scalable business apps on the Microsoft Power Platform. Dataverse is a cloud data platform that lets you store, manage, and securely share structured data across Power Apps, Power Automate, Power Pages, and beyond.

Top Dataverse Benefits

Unified data layer: Standardize data with the Common Data Model so apps speak a common language.
Enterprise-grade security: Role-based access control, row-level security, and field-level protection keep sensitive data safe.
Scalability and performance: Optimized storage, indexing, and server-side logic for high-volume workloads.
Low-code acceleration: Build apps faster with tables, relationships, and business rules—without deep database expertise.
Microsoft 365 and Dynamics 365 synergy: Natively integrates with familiar tools like Teams, Excel, and Dynamics 365.
Governance and compliance: Data loss prevention (DLP), auditing, and region-aware storage help meet compliance needs.
Extensible and open: Connect via APIs, virtual tables, and connectors to systems inside and outside Microsoft’s ecosystem.

Core Features of Dataverse

Structured Data with Tables, Columns, and Relationships

Dataverse organizes information into tables (standard or custom) with rich data types like text, number, date, currency, file, and image. You can define one-to-many and many-to-many relationships to model real-world scenarios.

Business Rules, Logic, and Validation

Create server-side rules to validate data, auto-calculate fields, and enforce policies. Use business process flows to guide users through standardized steps for consistent outcomes.

Advanced Security Model

Use role-based security to control access by table, privilege, and scope. Apply row-level and field-level security to protect sensitive records or fields such as salaries or PII.

Common Data Model (CDM)

Leverage standard, well-defined entities (e.g., Account, Contact) to accelerate solution design and ensure interoperability across apps.

Files, Images, and Large Data Support

Attach files and store images directly in Dataverse with appropriate storage tiers, enabling richer app experiences.

Integration, APIs, and Connectors

Access RESTful Web APIs, use virtual tables to read from external systems in real time, and connect with hundreds of services through Power Platform connectors.

Auditing, Logging, and Monitoring

Track changes to records for compliance and troubleshooting, and monitor performance with environment analytics.

Managed Solutions and ALM

Package and move apps, tables, and flows between environments using solutions to support robust application lifecycle management.

Examples: How Teams Use Dataverse

Sales pipeline management: Use standard Account and Opportunity tables, add custom fields, and enforce a business process flow from lead to close.
Service ticketing: Store Cases with relationships to Customers and Products, trigger Power Automate flows for escalations, and secure sensitive notes with field security.
Supplier onboarding: Build a portal with Power Pages connected to Dataverse tables, validate vendor data with business rules, and audit all updates.

When to Choose Dataverse

Need enterprise security with granular permissions and auditing.
Require rapid app development across Power Apps and Power Automate.
Expect growth in data volume, users, or complexity.
Depend on Microsoft ecosystem like Dynamics 365, Teams, and Microsoft 365.

Best Practices for Success

Design a data model first: Identify tables, keys, and relationships before building apps.
Use standard tables when possible: Start with CDM entities to improve compatibility.
Secure by design: Define roles, row-level security, and DLP policies early.
Automate logic on the server: Prefer business rules and flows for consistent enforcement.
Plan for ALM: Use solutions, versioning, and multiple environments (dev, test, prod).

Getting Started

Create an environment, define your tables and relationships, set security roles, and build a model-driven or canvas app. Connect your flows for automation, and publish solutions for repeatable deployment.

Sunday, 18 January 2026

SharePoint vs SharePoint Embedded: Key Differences, Use Cases, and How to Choose

SharePoint vs SharePoint Embedded: What’s the Difference?

SharePoint vs SharePoint Embedded is a common comparison for teams deciding between a full-featured collaboration hub and a headless content platform for custom apps. While both rely on Microsoft’s trusted content backbone, they serve different needs: SharePoint delivers out-of-the-box sites, lists, and document libraries, whereas SharePoint Embedded provides API-first content services to power your own applications.

Overview and Core Concepts

SharePoint is a comprehensive content and collaboration solution for intranets, team sites, document management, and knowledge sharing. It offers UI-ready features like sites, pages, web parts, permissions, search, and workflows.

SharePoint Embedded is a headless, developer-centric offering that exposes content storage, security, and compliance via APIs. It lets you integrate enterprise-grade content capabilities into custom apps without deploying traditional SharePoint sites.

Feature Comparison at a Glance

Interface: SharePoint includes a rich, configurable UI; SharePoint Embedded is API-first with no end-user UI.
Customization: SharePoint supports low-code and site-level customization; SharePoint Embedded supports deep, code-first integration in your own app experiences.
Collaboration: SharePoint provides document libraries, co-authoring, and pages; SharePoint Embedded focuses on content services (files, metadata, permissions) for app scenarios.
Governance and Security: Both leverage Microsoft 365 security, compliance, and permission models; SharePoint Embedded lets you enforce these controls programmatically in custom apps.
Deployment Speed: SharePoint offers rapid setup with ready-made sites; SharePoint Embedded requires development effort but yields tailored experiences.

When to Choose SharePoint

Pick SharePoint when you need an enterprise intranet, team collaboration, document management with versioning, and content publishing—without building from scratch.

Intranet and Communication Portals: Launch company news, policies, and departmental pages quickly.
Team Collaboration: Use document libraries, lists, and co-authoring to manage projects.
Knowledge Hubs: Create structured repositories with search and taxonomy.
Low-Code Solutions: Combine SharePoint with Power Platform to automate processes without heavy development.

When to Choose SharePoint Embedded

Pick SharePoint Embedded when you’re building bespoke applications that need secure, compliant content services but not SharePoint’s UI.

Custom Line-of-Business Apps: Store and manage files (contracts, designs, reports) within your own UI.
ISV/SaaS Scenarios: Embed enterprise-grade content storage for customers while maintaining tenant isolation and compliance.
Mobile and Multiplatform Experiences: Deliver consistent content features across web, mobile, and desktop via APIs.
Granular Control: Programmatically manage permissions, lifecycle, and metadata aligned to your domain model.

Practical Examples

Example 1: HR Intranet vs HR Case App

SharePoint: Build an HR portal with policies, onboarding pages, and a document library for templates—launched quickly with minimal custom code.

SharePoint Embedded: Build an HR case management app where case files, notes, and attachments are stored via APIs with strict permission models per case.

Example 2: Project Collaboration vs Engineering File Service

SharePoint: Create project sites with document libraries, task lists, and integrated co-authoring for cross-team collaboration.

SharePoint Embedded: Power an engineering app that programmatically stores design files, enforces role-based access, and tags metadata for lifecycle workflows.

Example 3: Knowledge Base vs Multi-Tenant SaaS Content Layer

SharePoint: Publish FAQs, guides, and SOPs with navigation, search, and permissions out of the box.

SharePoint Embedded: Provide a multi-tenant SaaS with isolated customer content, auditable access, and retention policies—all controlled via APIs.

Decision Criteria

Speed to Value: Need a turnkey portal? Choose SharePoint. Need custom UX with tight integration? Choose SharePoint Embedded.
Development Resources: Limited dev capacity favors SharePoint; engineering-heavy teams may prefer SharePoint Embedded.
User Experience Control: SharePoint gives configurable UI; SharePoint Embedded gives full UI ownership.
Scalability and Multi-Tenancy: SharePoint Embedded can simplify content isolation for multi-tenant apps.
Compliance and Security: Both inherit enterprise-grade controls; choose based on whether you need UI-ready governance or code-driven enforcement.

Cost and Operations Considerations

SharePoint typically aligns with Microsoft 365 licensing and offers rapid deployment with predictable admin overhead. SharePoint Embedded emphasizes consumption via APIs and may optimize cost for app-centric workloads where you pay based on usage patterns. Evaluate total cost by factoring development time, hosting, API usage, administration, and support.

Migration and Coexistence Strategy

These services can coexist. Many organizations run their intranet on SharePoint while building specialized apps on SharePoint Embedded. Start with centralized governance and information architecture, define metadata and retention, then integrate search and security groups to avoid duplication.

Summary: Which One Is Right for You?

If you want a robust collaboration hub with minimal coding, choose SharePoint. If you need to embed secure, compliant content capabilities within custom apps and retain full control over the UI and logic, choose SharePoint Embedded. In many cases, a hybrid approach delivers the best of both worlds.

Integrate Power Apps with AI using Azure Functions (.NET 8) and Azure OpenAI with Managed Identity

Integrate Power Apps with AI by fronting Azure OpenAI behind a secure .NET 8 isolated Azure Function, authenticated via Entra ID and deployed with Azure Bicep. Why this matters: you keep your Azure OpenAI keyless via Managed Identity, enforce RBAC, and provide a stable HTTPS endpoint for Power Apps using a custom connector.

The Problem

Developers need to call AI securely from Power Apps without exposing keys, while meeting enterprise requirements for RBAC, observability, and least-privilege. Manual wiring through the portal and ad hoc security checks lead to drift and risk.

Prerequisites

Azure CLI 2.60+
.NET 8 SDK
Azure Developer CLI (optional) or Bicep CLI
Owner or User Access Administrator on the target subscription
Power Apps environment access for creating a custom connector

The Solution (Step-by-Step)

1) Deploy Azure resources with Bicep (Managed Identity, Function App, Azure OpenAI, RBAC, Easy Auth)

This Bicep template creates a Function App with system-assigned managed identity, Azure OpenAI with a model deployment, App Service Authentication (Easy Auth) enforced, and assigns the Cognitive Services OpenAI User role to the identity.

// main.bicep
targetScope = 'resourceGroup'

@description('Name prefix for resources')
param namePrefix string

@description('Location for resources')
param location string = resourceGroup().location

@description('Azure OpenAI model name, e.g., gpt-4o-mini')
param aoaiModelName string = 'gpt-4o-mini'

@description('Azure OpenAI model version for your region (see Azure docs for supported versions).')
param aoaiModelVersion string = '2024-07-18' // Tip: Validate the correct version via az cognitiveservices account list-models

var funcName = '${namePrefix}-func'
var aoaiName = '${namePrefix}-aoai'
var hostingPlanName = '${namePrefix}-plan'
var appInsightsName = '${namePrefix}-ai'
var storageName = toLower(replace('${namePrefix}st${uniqueString(resourceGroup().id)}', '-', ''))

resource storage 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: storageName
  location: location
  sku: {
    name: 'Standard_LRS'
  }
  kind: 'StorageV2'
}

resource appInsights 'Microsoft.Insights/components@2020-02-02' = {
  name: appInsightsName
  location: location
  kind: 'web'
  properties: {
    Application_Type: 'web'
  }
}

resource plan 'Microsoft.Web/serverfarms@2023-12-01' = {
  name: hostingPlanName
  location: location
  sku: {
    name: 'Y1' // Consumption for Functions
    tier: 'Dynamic'
  }
}

resource func 'Microsoft.Web/sites@2023-12-01' = {
  name: funcName
  location: location
  kind: 'functionapp'
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    serverFarmId: plan.id
    siteConfig: {
      appSettings: [
        { name: 'AzureWebJobsStorage', value: storage.listKeys().keys[0].value }
        { name: 'APPLICATIONINSIGHTS_CONNECTION_STRING', value: appInsights.properties.ConnectionString }
        { name: 'FUNCTIONS_EXTENSION_VERSION', value: '~4' }
        { name: 'FUNCTIONS_WORKER_RUNTIME', value: 'dotnet-isolated' }
        // Enable Easy Auth enforcement via config below (authSettingsV2)
      ]
      http20Enabled: true
      minimumTlsVersion: '1.2'
      ftpsState: 'Disabled'
      cors: {
        allowedOrigins: [
          // Add your Power Apps domain if needed; CORS is typically managed by the custom connector
        ]
      }
    }
    httpsOnly: true
  }
}

// Enable App Service Authentication (Easy Auth) with Entra ID and enforce authentication.
resource auth 'Microsoft.Web/sites/config@2023-12-01' = {
  name: '${func.name}/authsettingsV2'
  properties: {
    globalValidation: {
      requireAuthentication: true
      unauthenticatedClientAction: 'Return401'
    }
    identityProviders: {
      azureActiveDirectory: {
        enabled: true
        registration: {
          // When omitted, system can use an implicit provider. For enterprise, specify a registered app:
          // Provide clientId and clientSecretSettingName if using a dedicated app registration.
        }
        validation: {
          // Audience (App ID URI or application ID). Power Apps custom connector should request this audience.
          // Replace with your API application ID URI when using a dedicated AAD app registration.
          allowedAudiences: [
            'api://<your-app-id>'
          ]
        }
        login: {
          disableWWWAuthenticate: false
        }
      }
    }
    platform: {
      enabled: true
      runtimeVersion: '~1'
    }
    login: {
      tokenStore: {
        enabled: true
      }
    }
  }
}

// Azure OpenAI account
resource aoai 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
  name: aoaiName
  location: location
  kind: 'OpenAI'
  sku: {
    name: 'S0'
  }
  properties: {
    customSubDomainName: toLower(aoaiName)
    publicNetworkAccess: 'Enabled'
  }
}

// Azure OpenAI deployment - ensure model/version are valid for your region
resource aoaiDeployment 'Microsoft.CognitiveServices/accounts/deployments@2023-05-01' = {
  name: 'chat-${aoaiModelName}'
  parent: aoai
  properties: {
    model: {
      format: 'OpenAI'
      name: aoaiModelName
      version: aoaiModelVersion
    }
    capacities: [
      {
        capacity: 1
        capacityType: 'Standard'
      }
    ]
  }
}

// Assign RBAC: Cognitive Services OpenAI User role to the Function's managed identity
// Built-in role: Cognitive Services OpenAI User (Role ID: 5e0bd9bd-7ac1-4c9e-8289-1b01f135d4a8)
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(aoai.id, func.identity.principalId, 'CognitiveServicesOpenAIUserRole')
  scope: aoai
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e0bd9bd-7ac1-4c9e-8289-1b01f135d4a8')
    principalId: func.identity.principalId
    principalType: 'ServicePrincipal'
  }
}

output functionAppName string = func.name
output openAiEndpoint string = 'https://${aoai.name}.openai.azure.com/'
output openAiDeployment string = aoaiDeployment.name

Tip: To find the correct model version for your region, run: az cognitiveservices account list-models --name <aoaiName> --resource-group <rg> --output table.

2) Implement a secure .NET 8 isolated Azure Function with DI and Managed Identity

The function validates Entra ID via Easy Auth headers, performs input validation, calls Azure OpenAI using DefaultAzureCredential, and returns a minimal response. AuthorizationLevel is Anonymous because App Service Authentication is enforcing auth at the edge; the code still verifies identity defensively.

// Program.cs
using System.Text.Json;
using Azure;
using Azure.AI.OpenAI;
using Azure.Identity;
using Microsoft.Azure.Functions.Worker;
using Microsoft.Azure.Functions.Worker.Middleware;
using Microsoft.Azure.Functions.Worker.Extensions.OpenApi.Extensions;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.Extensions.Logging;

var host = new HostBuilder()
    .ConfigureFunctionsWebApplication(builder =>
    {
        // Add global middleware if needed (e.g., correlation, exception handling)
        builder.UseMiddleware<GlobalExceptionMiddleware>();
    })
    .ConfigureServices((ctx, services) =>
    {
        var config = ctx.Configuration;

        // Bind custom options
        services.Configure<OpenAIOptions>(config.GetSection(OpenAIOptions.SectionName));

        // Register OpenAI client using Managed Identity (no keys)
        services.AddSingleton((sp) =>
        {
            var options = sp.GetRequiredService<Microsoft.Extensions.Options.IOptions<OpenAIOptions>>().Value;
            // Use DefaultAzureCredential to leverage Managed Identity in Azure
            var credential = new DefaultAzureCredential();
            return new OpenAIClient(new Uri(options.Endpoint), credential);
        });

        services.AddSingleton<IPromptService, PromptService>();
        services.AddApplicationInsightsTelemetryWorkerService();
    })
    .ConfigureAppConfiguration(config =>
    {
        config.AddEnvironmentVariables();
    })
    .ConfigureLogging(logging =>
    {
        logging.AddConsole();
    })
    .Build();

await host.RunAsync();

file sealed class GlobalExceptionMiddleware : IFunctionsWorkerMiddleware
{
    public async Task Invoke(FunctionContext context, FunctionExecutionDelegate next)
    {
        try
        {
            await next(context);
        }
        catch (Exception ex)
        {
            var logger = context.GetLogger<GlobalExceptionMiddleware>();
            logger.LogError(ex, "Unhandled exception");

            // Avoid leaking internals; return generic error with correlation ID
            var invocationId = context.InvocationId;
            var http = await context.GetHttpRequestDataAsync();
            if (http is not null)
            {
                var response = http.CreateResponse(System.Net.HttpStatusCode.InternalServerError);
                await response.WriteStringAsync($"Request failed. CorrelationId: {invocationId}");
                context.GetInvocationResult().Value = response;
            }
        }
    }
}

file sealed class OpenAIOptions
{
    public const string SectionName = "OpenAI";
    public string Endpoint { get; init; } = string.Empty; // e.g., https://<aoaiName>.openai.azure.com/
    public string Deployment { get; init; } = string.Empty; // e.g., chat-gpt-4o-mini
}

// Service abstraction to keep function logic clean
file interface IPromptService
{
    Task<string> CreateChatResponseAsync(string userInput, CancellationToken ct);
}

file sealed class PromptService(OpenAIClient client, Microsoft.Extensions.Options.IOptions<OpenAIOptions> opts, ILogger<PromptService> logger) : IPromptService
{
    private readonly OpenAIClient _client = client;
    private readonly OpenAIOptions _opts = opts.Value;
    private readonly ILogger<PromptService> _logger = logger;

    public async Task<string> CreateChatResponseAsync(string userInput, CancellationToken ct)
    {
        // Basic input trimming and minimal length check
        var prompt = (userInput ?? string.Empty).Trim();
        if (prompt.Length < 3)
        {
            return "Input too short.";
        }

        // Create chat completion with minimal system prompt
        var req = new ChatCompletionsOptions()
        {
            DeploymentName = _opts.Deployment,
            Temperature = 0.2f,
            MaxTokens = 256
        };
        req.Messages.Add(new ChatRequestSystemMessage("You are a concise assistant.")); // Guardrail
        req.Messages.Add(new ChatRequestUserMessage(prompt));

        _logger.LogInformation("Calling Azure OpenAI deployment {Deployment}", _opts.Deployment);

        var resp = await _client.GetChatCompletionsAsync(req, ct);
        var msg = resp.Value.Choices.Count > 0 ? resp.Value.Choices[0].Message.Content[0].Text : "No response.";
        return msg ?? string.Empty;
    }
}

// HttpFunction.cs
using System.Net;
using System.Security.Claims;
using System.Text;
using System.Text.Json;
using Microsoft.Azure.Functions.Worker;
using Microsoft.Azure.Functions.Worker.Http;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;

namespace Api;

public sealed class ChatRequest
{
    // Strongly typed DTO for request validation
    public string Prompt { get; init; } = string.Empty;
}

public sealed class ChatFunction(IPromptService promptService, ILogger<ChatFunction> logger) 
{
    // Simple helper to read Easy Auth principal header safely
    private static ClaimsPrincipal? TryGetPrincipal(HttpRequestData req)
    {
        // Easy Auth sets x-ms-client-principal as Base64 JSON
        if (!req.Headers.TryGetValues("x-ms-client-principal", out var values)) return null;
        var b64 = values.FirstOrDefault();
        if (string.IsNullOrWhiteSpace(b64)) return null;

        try
        {
            var json = Encoding.UTF8.GetString(Convert.FromBase64String(b64));
            using var doc = JsonDocument.Parse(json);
            var claims = new List<Claim>();
            if (doc.RootElement.TryGetProperty("claims", out var arr))
            {
                foreach (var c in arr.EnumerateArray())
                {
                    var typ = c.GetProperty("typ").GetString() ?? string.Empty;
                    var val = c.GetProperty("val").GetString() ?? string.Empty;
                    claims.Add(new Claim(typ, val));
                }
            }
            return new ClaimsPrincipal(new ClaimsIdentity(claims, "EasyAuth"));
        }
        catch
        {
            return null;
        }
    }

    [Function("chat")]
    public async Task<HttpResponseData> Run(
        [HttpTrigger(AuthorizationLevel.Anonymous, "post", Route = "chat")] HttpRequestData req,
        FunctionContext context)
    {
        var principal = TryGetPrincipal(req);
        if (principal is null)
        {
            // Defense in depth: App Service auth should already block, but we double-check.
            var unauth = req.CreateResponse(HttpStatusCode.Unauthorized);
            await unauth.WriteStringAsync("Authentication required.");
            return unauth;
        }

        // Basic content-type check and bound read limit
        if (!req.Headers.TryGetValues("Content-Type", out var ct) || !ct.First().Contains("application/json", StringComparison.OrdinalIgnoreCase))
        {
            var bad = req.CreateResponse(HttpStatusCode.BadRequest);
            await bad.WriteStringAsync("Content-Type must be application/json.");
            return bad;
        }

        // Safe body read
        using var reader = new StreamReader(req.Body);
        var body = await reader.ReadToEndAsync();
        ChatRequest? input;
        try
        {
            input = JsonSerializer.Deserialize<ChatRequest>(body, new JsonSerializerOptions { PropertyNameCaseInsensitive = true });
        }
        catch
        {
            var bad = req.CreateResponse(HttpStatusCode.BadRequest);
            await bad.WriteStringAsync("Invalid JSON.");
            return bad;
        }

        if (input is null || string.IsNullOrWhiteSpace(input.Prompt))
        {
            var bad = req.CreateResponse(HttpStatusCode.BadRequest);
            await bad.WriteStringAsync("Prompt is required.");
            return bad;
        }

        var loggerScope = new Dictionary<string, object> { ["UserObjectId"] = principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier")?.Value ?? "unknown" };
        using (logger.BeginScope(loggerScope))
        {
            try
            {
                var result = await promptService.CreateChatResponseAsync(input.Prompt, context.CancellationToken);
                var ok = req.CreateResponse(HttpStatusCode.OK);
                await ok.WriteAsJsonAsync(new { response = result });
                return ok;
            }
            catch (Exception ex)
            {
                logger.LogError(ex, "Error generating chat response");
                var err = req.CreateResponse(HttpStatusCode.BadGateway);
                await err.WriteStringAsync("AI request failed. Try again later.");
                return err;
            }
        }
    }
}

// appsettings.json (for local debug)
{
  "OpenAI": {
    "Endpoint": "https://<your-aoai-name>.openai.azure.com/",
    "Deployment": "chat-gpt-4o-mini"
  }
}

Tip: When running locally, ensure you are logged in with Azure CLI (az login) so DefaultAzureCredential can acquire a token. Assign yourself Cognitive Services OpenAI User on the AOAI resource for testing.

3) Enforce Azure AD (Easy Auth) - configuration example

The Bicep above enables Easy Auth and returns 401 for unauthenticated calls. If you maintain settings as JSON, you can also use an ARM style configuration:

// Example snippet (appsettings for site config via ARM/Bicep-style) ensures:
// - requireAuthentication: true
// - allowedAudiences must match the audience used by your client (Power Apps custom connector)
{
  "properties": {
    "authSettingsV2": {
      "platform": { "enabled": true },
      "globalValidation": {
        "requireAuthentication": true,
        "unauthenticatedClientAction": "Return401"
      },
      "identityProviders": {
        "azureActiveDirectory": {
          "enabled": true,
          "validation": {
            "allowedAudiences": [ "api://<your-app-id>" ]
          }
        }
      }
    }
  }
}

Tip: For most enterprise setups, register a dedicated App Registration for the Function API and reference its Application ID URI in allowedAudiences. Keep consent and scopes explicit.

4) Create a Power Apps Custom Connector

In Power Apps, open Solutions and create a new Custom Connector.
Set the Host to your Function URL (e.g., https://<func-name>.azurewebsites.net).
Define the POST /chat operation that accepts a JSON body { "prompt": "..." } and returns { "response": "..." }.
Security: Choose OAuth 2.0 (Azure Active Directory). Set Audience to match allowedAudiences (api://<your-app-id>). Supply Tenant ID and Client ID as provided by your admin.
Test the connector. You should receive HTTP 200 with the AI response. Unauthorized calls return 401.

5) Add client-side validation in Power Apps (Power Fx)

Before invoking the connector, validate inputs in the app to fail fast and reduce server load.

// Example Power Fx for a button's OnSelect
If(
    IsBlank(Trim(txtPrompt.Text)) || Len(Trim(txtPrompt.Text)) < 3,
    Notify("Please enter at least 3 characters.", NotificationType.Error),
    Set(
        aiResult,
        YourConnector.chat(
            {
                prompt: Trim(txtPrompt.Text)
            }
        ).response
    )
);

// Display result in a Label: Text = aiResult

Tip: Add input length limits and debouncing for multi-keystroke actions. For read-only UI against data, prefer server-side pagination and AsNoTracking() on the API layer where EF Core is involved.

Best Practices & Security

Identity and RBAC

Use Managed Identity for the Function App; never store secrets. The sample uses DefaultAzureCredential.
Assign the Cognitive Services OpenAI User role to the Function’s identity on the Azure OpenAI resource. This allows API calls without exposing keys.
Enforce Azure AD with Easy Auth at the platform level and verify identity in code for defense in depth.

Least Privilege and Network

Restrict access with the minimum RBAC scope necessary. Avoid granting Contributor on the subscription.
Enable HTTPS only and TLS 1.2+. Disable FTP/FTPS where possible.
Consider Private Endpoints for Azure OpenAI and Functions behind an Application Gateway/WAF for enterprise networks.

Validation, Error Handling, and Reliability

Validate input on both client (Power Apps) and server (Function). The code enforces content-type and schema shape.
Handle exceptions using middleware and return generic messages with correlation IDs to avoid leaking internals.
Implement circuit breakers and retries for downstream calls with transient fault policies if you add HTTP dependencies.

Observability

Use Application Insights. Log prompt sizes and latency, not raw sensitive content.
Sample KQL to investigate errors:

// Requests by operation
requests
| where url endswith "/chat"
| summarize count() by resultCode

// Exceptions with correlation
exceptions
| where operation_Name == "chat"
| project timestamp, type, problemId, outerMessage, operation_Id

// Latency p95
requests
| where url endswith "/chat"
| summarize p95(duration) by bin(timestamp, 1h)

Cost and Abuse Controls

Apply rate limiting at the API Management layer if exposing broadly.
Set MaxTokens and Temperature conservatively; monitor usage with budgets and alerts.
Implement content filters as needed using Azure AI Content Safety.

Summary

Power Apps integrates cleanly with AI by calling a secure .NET 8 Azure Function that uses Managed Identity to access Azure OpenAI.
Security is enforced with Azure AD (Easy Auth) and RBAC, specifically the Cognitive Services OpenAI User role.
IaC with Bicep, defensive coding, and Application Insights deliver repeatable, production-grade operations.

Saturday, 17 January 2026

AI in 2026: Key Expectations, Trends, and How to Prepare

Overview: Where AI Is Heading in 2026

The phrase expectations in Artificial Intelligence in 2026 captures a pivotal moment: AI is shifting from experimental pilots to production-grade systems that power everyday products, business workflows, and developer tooling. In 2026, expect faster multimodal models, trustworthy guardrails, on-device intelligence, and measurable ROI across industries.

Key Trends Shaping AI in 2026

1) Multimodal AI goes mainstream

Models that understand and generate text, images, audio, and structured data together will be standard in design, support, analytics, and accessibility. This unlocks richer search, smarter dashboards, and hands-free interfaces.

Impact: Better product discovery, visual troubleshooting, and voice-first experiences.
What to watch: Faster inference, higher fidelity outputs, and tool-augmented reasoning.

2) Agentic workflows and tool-use

“AI agents” will reliably plan, call tools/APIs, retrieve knowledge, and verify results. Guardrails will improve success rates for repetitive tasks like reporting, data entry, and QA.

Impact: Hours saved per employee per week; higher process quality.
What to watch: ReAct-style reasoning, structured output validation, and human-in-the-loop approvals.

3) On-device and edge AI

Smaller, efficient models will run on laptops, phones, and IoT, reducing latency and boosting privacy.

Impact: Offline assistance, instant transcription, and smarter sensors.
What to watch: Quantization, distillation, hardware accelerators, and hybrid cloud-edge orchestration.

Enterprise AI: From Pilots to ROI

4) Production-ready governance

Companies will standardize model evaluation, versioning, prompt/change management, and audit trails, reducing risk and downtime.

Impact: Faster approvals, repeatable deployments, and compliance confidence.
What to watch: Evaluation suites (quality, bias, drift), prompt registries, and policy-based routing.

5) Retrieval-augmented solutions

Retrieval-Augmented Generation (RAG) will remain a top pattern for reliable, up-to-date answers over private data.

Impact: Trustworthy chat over docs, catalogs, and tickets.
What to watch: Better chunking, embeddings, re-ranking, and citations.

6) Cost, latency, and quality optimization

Teams will mix foundation models with compact domain models, caching, and response routing to hit budget and SLA targets.

Impact: Lower TCO with equal or better outcomes.
What to watch: Adaptive model selection and response compression.

Trust, Safety, and Responsible AI

7) Policy-aware systems

Expect clearer controls for safety filters, data residency, privacy, and content provenance (watermarking/signals) to strengthen user trust.

Impact: Safer deployments across industries.
What to watch: Red-teaming, safety benchmarks, and provenance indicators.

8) Transparency and evaluation

Standardized reporting on model behavior, data handling, and risk will help buyers compare solutions and meet internal requirements.

Impact: Faster procurement and stakeholder alignment.
What to watch: Model cards, evaluation leaderboards, and continuous monitoring.

Practical Examples and Use Cases

Customer experience

Multimodal support: Users upload a product photo; the agent identifies the part, pulls the warranty, and guides a fix.
Proactive retention: Agents detect churn risk and trigger personalized offers.

Operations and analytics

Automated reporting: An agent compiles KPI decks, checks anomalies, and drafts executive summaries with citations.
Data quality: AI flags schema drift, missing values, and conflicting metrics.

Product and engineering

On-device coding assistant: Suggests patches offline, enforces style, and cites docs.
Design co-pilot: Generates UI variants from sketches with accessibility checks.

How to Prepare in 2026

Start with narrow, high-value tasks: Pick workflows with clear KPIs and guardrails.
Adopt RAG for accuracy: Keep answers grounded in your latest, approved content.
Instrument everything: Track cost, latency, win rate, user satisfaction, and error types.
Establish governance: Version prompts, document changes, audit access, and define escalation paths.
Optimize stack: Use a mix of large and small models, caching, and adaptive routing.
Invest in data: Clean, labeled, and searchable content boosts model performance.
Train teams: Upskill on prompt patterns, evaluation, and safe deployment practices.

Bottom Line

In 2026, the most successful AI programs will combine multimodal models, agentic tool-use, strong governance, and cost-aware engineering. By focusing on measurable outcomes and trustworthy systems, organizations can turn expectations in Artificial Intelligence in 2026 into durable competitive advantage.

What Is an AI Agent? A Clear, Actionable Guide With Examples

Wondering What is an AI Agent? In simple terms, an AI agent is a software system that can perceive information, reason about it, and take actions toward a goal—often autonomously. Modern AI agents can interact with tools, APIs, data sources, and people to complete tasks with minimal human guidance.

Core Definition and How AI Agents Work

An AI agent combines perception, reasoning, memory, and action to deliver outcomes. Think of it as a goal-driven digital worker that uses models, rules, and tools to get things done.

Perception: Collects inputs, such as text prompts, sensor data, emails, or database records.
Reasoning and Planning: Decides what to do next using heuristics, rules, or machine learning models.
Memory: Stores context, prior steps, results, and feedback for continuity and improvement.
Action: Executes tasks via APIs, software tools, scripts, or conversational messages.

Types of AI Agents

Reactive agents: Respond to the current input without long-term memory. Fast and reliable for routine tasks.
Deliberative (planning) agents: Build and follow plans, simulate steps, and adjust as they learn more.
Learning agents: Improve behavior over time through feedback, rewards, or fine-tuning.
Tool-using agents: Call external tools (search, spreadsheets, CRMs, code runners) to complete complex tasks.
Multi-agent systems: Several agents with specialized roles collaborate and coordinate to solve larger problems.

Practical Examples

Customer Support and CX

Ticket triage agent: Classifies, prioritizes, and routes support tickets to the right team.
Self-service assistant: Answers FAQs, updates orders, or schedules returns using CRM and order APIs.

Marketing and Content

Content planner agent: Generates briefs, outlines, and SEO metadata aligned to brand guidelines.
Campaign optimizer: Tests headlines, segments audiences, and adjusts bids based on performance data.

Operations and IT

Data QA agent: Validates datasets, flags anomalies, and triggers alerts.
DevOps helper: Monitors logs, suggests fixes, and opens pull requests for routine patches.

Key Benefits

Scalability: Handle repetitive tasks 24/7 without burnout.
Consistency: Fewer errors and uniform outcomes across workflows.
Speed: Rapid research, drafting, analysis, and tool execution.
Cost efficiency: Automate high-volume processes to free teams for higher-value work.

Limitations and Risks

Hallucinations or errors: Agents can produce incorrect outputs without robust validation.
Tool misuse: Poorly scoped permissions can lead to unintended actions.
Data privacy: Sensitive data requires secure handling and access controls.
Over-automation: Not every task should be autonomous; human oversight remains crucial.

Design Best Practices

Define clear goals: Specify the agent’s objective, success metrics, and boundaries.
Constrain tools and data: Use least-privilege access with read/write scopes and audit logs.
Add validation layers: Include rule checks, approvals, and unit tests for critical steps.
Structured memory: Store context in retrievable formats for consistent behavior.
Human-in-the-loop: Require review for high-impact actions like payments or deployments.

Getting Started: A Simple Blueprint

Choose a use case: Start with a narrow, repetitive workflow (e.g., FAQ resolution, lead enrichment).
Pick tools: Identify APIs, databases, or SaaS apps the agent needs to access.
Set guardrails: Permissions, rate limits, sandbox testing, and observability.
Iterate: Pilot with a small dataset, measure outcomes, refine prompts and policies.

Frequently Asked Questions

Is an AI agent the same as a chatbot?

No. A chatbot is conversational. An AI agent goes further by planning and taking actions via tools and APIs to complete tasks end-to-end.

Do AI agents replace humans?

They augment teams by automating repetitive steps. Humans still provide strategy, judgment, and oversight, especially for complex or sensitive decisions.

What skills are needed to build one?

Basic API familiarity, prompt design, data handling, and security best practices. For advanced agents, add workflow orchestration and evaluation frameworks.

What Is an LLM in Artificial Intelligence? A Clear, Practical Guide

Understanding LLM in Artificial Intelligence

An LLM in Artificial Intelligence stands for Large Language Model, a type of AI system trained on vast text datasets to understand and generate human-like language. LLMs can summarize content, answer questions, write code, translate languages, and support search and research by predicting the most likely next words based on patterns learned during training.

How an LLM Works

At its core, an LLM uses deep learning—specifically transformer architectures—to process and generate text. During training, it learns statistical relationships between words and concepts, enabling it to produce coherent, context-aware responses.

Pretraining: The model learns general language patterns from large corpora.
Fine-tuning: It is adapted to specific tasks or domains (e.g., legal, medical, customer support).
Inference: Given a prompt, it generates relevant output based on learned probabilities.

Key Capabilities and Examples

Text generation: Drafting emails, blog posts, and product descriptions. Example: Writing a 500-word overview of a new software release.
Summarization: Condensing long documents into key points. Example: Turning a 20-page report into a bullet summary.
Question answering: Providing fact-based replies with cited sources when tools are integrated.
Translation: Converting content between languages while preserving tone.
Code assistance: Suggesting snippets, refactoring, or explaining functions.
Semantic search: Retrieving contextually relevant information beyond keyword matching.

Core Components of LLMs

Transformer architecture: Uses attention mechanisms to weigh context across sequences.
Tokens and embeddings: Text is split into tokens and mapped into vector spaces to capture meaning.
Parameters: Millions to trillions of tunable weights that store learned patterns.
Context window: The amount of text the model can consider at once, affecting coherence and memory.

Benefits and Limitations

Benefits: Speed, scalability, 24/7 availability, flexible task coverage, and consistent tone.
Limitations: Possible inaccuracies (hallucinations), sensitivity to prompt phrasing, context window limits, and dependency on training data quality.

Best Practices for Using LLMs

Prompt clearly: Specify role, task, constraints, and format.
Provide structured inputs: Use bullet points or numbered steps for clarity.
Iterate: Refine prompts and evaluate outputs across diverse examples.
Ground with data: Integrate retrieval or APIs for up-to-date facts.
Human review: Validate outputs for accuracy, compliance, and tone.

Popular LLM Use Cases in Business

Customer support: Drafting responses and knowledge base updates.
Marketing: SEO content, ad copy, product descriptions.
Engineering: Code suggestions, documentation, QA test generation.
Operations: Report summarization, data extraction, SOP drafting.
Research: Literature review assistance and ideation.

Evaluating an LLM for Your Needs

Accuracy: Benchmark on your domain tasks.
Latency and cost: Measure response time and usage economics.
Security and privacy: Ensure data handling meets compliance requirements.
Customization: Check fine-tuning, prompt templates, and tool integration.
Observability: Logging, analytics, and guardrails to monitor quality.

Getting Started

Define your use case, draft sample prompts, test multiple LLMs with the same inputs, and compare accuracy, speed, and cost. Start with low-risk tasks, add human review, and progressively automate once outcomes are consistent.

Friday, 16 January 2026

Implementing PnP People Picker in React for SPFx: A Ready-to-Use Example with Strict TypeScript and Zod

The primary keyword pnp people picker control in react for SPfx with example sets the scope: implement a production-grade People Picker in a SharePoint Framework (SPFx) web part using React, strict TypeScript, and Zod validation. Why this matters: avoid vague selections, respect tenant boundaries and theming, and ship a fast, accessible control that your security team can approve.

The Problem

Developers often wire up People Picker quickly, then face issues with invalid selections, poor performance in large tenants, theming mismatches, and missing API permissions. The goal is a robust People Picker that validates data, performs well, and aligns with SPFx and Microsoft 365 security constraints.

Prerequisites

Node.js v20+
SPFx v1.18+ (React and TypeScript template)
@pnp/spfx-controls-react v3.23.0+ (PeoplePicker)
TypeScript strict mode enabled ("strict": true)
Zod v3.23.8+ for schema validation
Tenant admin rights to approve Microsoft Graph permissions for the package

The Solution (Step-by-Step)

1) Install dependencies and pin versions

npm install @pnp/spfx-controls-react@3.23.0 zod@3.23.8

Recommendation: pin versions to prevent accidental breaking changes in builds.

2) Configure delegated permissions (least privilege)

In config/package-solution.json, request the minimum Graph scopes needed to resolve people:

{
  "solution": {
    "webApiPermissionRequests": [
      { "resource": "Microsoft Graph", "scope": "User.ReadBasic.All" },
      { "resource": "Microsoft Graph", "scope": "People.Read" }
    ]
  }
}

After packaging and deploying, a tenant admin must approve these scopes. These are delegated permissions tied to the current user; no secrets or app-only access are required for the People Picker scenario.

3) Implement a strict, validated People Picker component

/* PeoplePickerField.tsx */
import * as React from "react";
import { useCallback, useMemo, useState } from "react";
import { WebPartContext } from "@microsoft/sp-webpart-base";
import { PeoplePicker, PrincipalType } from "@pnp/spfx-controls-react/lib/PeoplePicker";
import { z } from "zod";

// Define the shape we accept from People Picker selections
// The control returns IPrincipal-like objects; we validate subset we rely upon.
const PersonSchema = z.object({
  id: z.union([z.string(), z.number()]), // Graph or SP ID can be number or string
  secondaryText: z.string().nullable().optional(), // usually email or subtitle
  text: z.string().min(1), // display name
});

const SelectedPeopleSchema = z.array(PersonSchema).max(5); // enforce cardinality

export type ValidPerson = z.infer<typeof PersonSchema>;

export interface PeoplePickerFieldProps {
  context: WebPartContext; // SPFx context to ensure tenant and theme alignment
  label?: string;
  required?: boolean;
  maxPeople?: number; // override default of 5
  onChange: (people: ValidPerson[]) => void; // emits validated data only
}

// Memoized to avoid unnecessary re-renders in large forms
const PeoplePickerField: React.FC<PeoplePickerFieldProps> = ({
  context,
  label = "Assign to",
  required = false,
  maxPeople = 5,
  onChange,
}) => {
  // Internal state to show validation feedback
  const [error, setError] = useState<string | null>(null);

  // Enforce hard cap
  const personSelectionLimit = useMemo(() => Math.min(Math.max(1, maxPeople), 25), [maxPeople]);

  // Convert PeoplePicker selections through Zod
  const handleChange = useCallback((items: unknown[]) => {
    // PeoplePicker sends unknown shape; validate strictly before emitting
    const parsed = SelectedPeopleSchema.safeParse(items);
    if (!parsed.success) {
      setError("Invalid selection. Please choose valid users only.");
      onChange([]);
      return;
    }

    // Optional business rule: ensure each user has an email-like secondaryText
    const withEmail = parsed.data.filter(p => (p.secondaryText ?? "").includes("@"));
    if (withEmail.length !== parsed.data.length) {
      setError("Some selections are missing a valid email.");
      onChange([]);
      return;
    }

    setError(null);
    onChange(parsed.data);
  }, [onChange]);

  return (
    <div>
      <label>{label}{required ? " *" : ""}</label>
      {/**
       * PeoplePicker respects SPFx theme through provided context.
       * Use PrincipalType to limit search to users only, avoiding groups for clarity.
       */}
      <PeoplePicker
        context={context}
        titleText={label}
        personSelectionLimit={personSelectionLimit}
        ensureUser={true} // resolves users to the site collection to avoid auth issues
        showHiddenInUI={false}
        principalTypes={[PrincipalType.User]}
        resolveDelay={300} // debounce for performance in large tenants
        onChange={handleChange}
        required={required}
      />

      {/** Live region for accessibility */}
      <div aria-live="polite">{error ? error : ""}</div>
    </div>
  );
};

export default React.memo(PeoplePickerField);

Notes: resolveDelay reduces repeated queries while typing. principalTypes avoids unnecessary group matches unless you require them.

4) Use the field in a web part with validated submit

/* MyWebPartComponent.tsx */
import * as React from "react";
import { useCallback, useState } from "react";
import { WebPartContext } from "@microsoft/sp-webpart-base";
import PeoplePickerField, { ValidPerson } from "./PeoplePickerField";

interface MyWebPartProps { context: WebPartContext; }

const MyWebPartComponent: React.FC<MyWebPartProps> = ({ context }) => {
  const [assignees, setAssignees] = useState<ValidPerson[]>([]);
  const [submitStatus, setSubmitStatus] = useState<"idle" | "saving" | "success" | "error">("idle");

  const handlePeopleChange = useCallback((people: ValidPerson[]) => setAssignees(people), []);

  const handleSubmit = useCallback(async () => {
    try {
      setSubmitStatus("saving");
      // Example: persist only the IDs or emails to a list/Graph to avoid storing PII redundantly
      const payload = assignees.map(p => ({ id: String(p.id), email: p.secondaryText }));
      // TODO: call a secure API (e.g., SPHttpClient to SharePoint list) using current user's context
      await new Promise(r => setTimeout(r, 600)); // simulate network
      setSubmitStatus("success");
    } catch {
      setSubmitStatus("error");
    }
  }, [assignees]);

  return (
    <div>
      <h3>Create Task</h3>
      <PeoplePickerField
        context={context}
        label="Assignees"
        required={true}
        maxPeople={3}
        onChange={handlePeopleChange}
      />
      <button onClick={handleSubmit} disabled={assignees.length === 0 || submitStatus === "saving"}>
        Save
      </button>
      <div aria-live="polite">{submitStatus === "saving" ? "Saving..." : ""}</div>
      <div aria-live="polite">{submitStatus === "success" ? "Saved" : ""}</div>
      <div aria-live="polite">{submitStatus === "error" ? "Save failed" : ""}</div>
    </div>
  );
};

export default MyWebPartComponent;

5) Authentication in SPFx context

SPFx provides delegated authentication via the current user. For Microsoft Graph calls, use MSGraphClientFactory; for SharePoint calls, use SPHttpClient. You do not need to store tokens; SPFx handles tokens and consent. Avoid manual token acquisition unless implementing advanced scenarios.

6) Minimal test to validate the component contract

// PeoplePickerField.test.tsx
import React from "react";
import { render } from "@testing-library/react";
import PeoplePickerField from "./PeoplePickerField";

// Mock SPFx WebPartContext minimally for the control; provide shape your test runner needs
const mockContext = {} as unknown as any; // In real tests, provide a proper mock of the context APIs used by the control

test("renders label and enforces required", () => {
  const { getByText } = render(
    <PeoplePickerField context={mockContext} label="Assignees" required onChange={() => {}} />
  );
  expect(getByText(/Assignees/)).toBeTruthy();
});

Note: In integration tests, mount within an SPFx test harness or mock the PeoplePicker dependency. For unit tests, focus on validation logic paths invoked by onChange.

Best Practices & Security

Least privilege permissions. Request only User.ReadBasic.All and People.Read for resolving users. Do not request write scopes unless necessary.
Azure RBAC and Microsoft 365 roles. This scenario uses delegated permissions within Microsoft 365; no Azure subscription RBAC role is required. Users need a valid SharePoint license and access to the site. Tenant admin must approve Graph scopes. For directory-read scenarios beyond basics, Directory Readers role may be required by policy.
PII hygiene. Persist only identifiers (e.g., user IDs or emails) rather than full profiles. Avoid logging personal data. Mask PII in telemetry.
Performance. Use resolveDelay to debounce search. Limit personSelectionLimit to a realistic value (e.g., 3–5). Memoize the field (React.memo) and callbacks (useCallback) to reduce re-renders in complex forms.
Accessibility. Provide aria-live regions for validation and submit status. Ensure color contrast via SPFx theming; the PeoplePicker uses SPFx theme tokens when context is provided.
Theming. Always pass the SPFx context to ensure the control inherits the current site theme.
Error resilience. Wrap parent forms with an error boundary to display a fallback UI if a child component throws.
Versioning. Pin dependency versions in package.json to avoid unexpected changes. Regularly update to the latest stable to receive security fixes.
No server-side tech references here. Entity Framework patterns such as AsNoTracking are not applicable in SPFx client-side code.

Example package.json pins

{
  "dependencies": {
    "@pnp/spfx-controls-react": "3.23.0",
    "zod": "3.23.8"
  }
}

Optional: Error boundary pattern

import React from "react";

class ErrorBoundary extends React.Component<{}, { hasError: boolean }> {
  constructor(props: {}) {
    super(props);
    this.state = { hasError: false };
  }
  static getDerivedStateFromError() { return { hasError: true }; }
  render() { return this.state.hasError ? <div>Something went wrong.</div> : this.props.children; }
}

export default ErrorBoundary;

Wrap your form: ErrorBoundary around MyWebPartComponent to ensure a graceful fallback.

Summary

Implemented a strict, validated People Picker for SPFx with React, Zod, and tenant-aware theming via context.
Applied least privilege delegated permissions with admin consent, clear performance tuning, and accessibility patterns.
Hardened production readiness through validation-first design, memoization, testing hooks, and pinned dependencies.

Top SharePoint Migration Issues and How to Avoid Them

Understanding the Most Common SharePoint Migration Issues

Successful SharePoint migration requires careful planning, precise execution, and thorough validation. Without a structured approach, teams often face data loss, broken permissions, performance bottlenecks, and user adoption challenges. This guide outlines the most common pitfalls and practical ways to prevent them.

1) Incomplete Discovery and Content Cleanup

Skipping discovery leads to surprises during migration—unsupported file types, redundant content, or customizations you didn’t account for.

Issue: Migrating ROT (redundant, obsolete, trivial) content increases time and cost.
Issue: Oversized files, illegal characters, and path lengths exceeding limits cause failures.
Fix: Inventory sites, libraries, lists, versions, and customizations. Clean up ROT, standardize naming, shorten nested folder paths.
Example: A department library with 400k items and deep folders repeatedly failed until paths were reduced and content was archived.

2) Permissions and Security Mapping Gaps

Complex, item-level permissions often don’t translate cleanly across environments.

Issue: Broken inheritance and orphaned users after migration.
Issue: External sharing and guest access not reconfigured in the target environment.
Fix: Flatten overly granular permissions, map AD to Azure AD, and document group-to-role mappings. Recreate sharing policies post-cutover.
Example: A site with thousands of unique item permissions caused throttling until permissions were consolidated at the library level.

3) Customizations, Classic-to-Modern Gaps, and Unsupported Features

Not all on-prem or classic features exist in SharePoint Online or modern sites.

Issue: Custom master pages, sandbox solutions, and full-trust farm solutions won’t migrate as-is.
Issue: InfoPath forms, legacy workflows (SharePoint Designer), and third-party web parts require re-platforming.
Fix: Replace classic customizations with SPFx, Power Apps, and Power Automate. Adopt modern site templates and hub site architecture.
Example: A legacy expense form built in InfoPath was rebuilt in Power Apps with improved validation and mobile support.

4) Metadata, Version History, and Content Types

Misaligned information architecture leads to lost context and search relevance issues.

Issue: Metadata fields don’t map, breaking filters and views.
Issue: Version history truncates or inflates storage if not scoped.
Fix: Standardize content types and columns, migrate the term store first, and set versioning policies. Validate metadata post-migration.
Example: A document library lost “Client” tagging until the managed metadata term set was migrated and re-linked.

5) Performance, Throttling, and Network Constraints

Large migrations can hit service limits and network bottlenecks.

Issue: API throttling slows or halts migrations to SharePoint Online.
Issue: Latency and bandwidth constraints extend timelines.
Fix: Schedule off-peak runs, use incremental jobs, package content in optimal batches, and leverage approved migration tools with retry logic.
Example: Breaking a 5TB move into site-by-site batches with deltas cut total time by half.

6) Search, Navigation, and Broken Links

Users depend on discoverability; broken links erode trust.

Issue: Hard-coded links, classic navigation, and old site URLs fail post-migration.
Issue: Search results feel “empty” before re-indexing completes.
Fix: Use relative links, update navigation to modern hubs, plan redirects, and trigger re-indexing. Communicate indexing windows to users.
Example: A knowledge base site restored link integrity by mapping legacy URLs to new hub sites and rebuilding key pages.

7) Compliance, Retention, and Governance Misalignment

Migrations can unintentionally bypass compliance if policies aren’t aligned in the target environment.

Issue: Retention labels and DLP policies don’t carry over automatically.
Issue: Audit and sensitivity labels not enabled before content lands.
Fix: Deploy compliance policies first, then migrate. Validate label inheritance and auditing on sampled content.
Example: Contract libraries applied the correct sensitivity labels only after the target policies were pre-configured.

8) Cutover Strategy, Downtime, and User Adoption

Even a technically perfect migration fails without change management.

Issue: Confusion during cutover, duplicate work in parallel systems, and poor adoption.
Fix: Choose the right strategy (big bang vs. phased with deltas), freeze changes before final sync, and offer concise training and comms.
Example: A phased approach with two delta passes reduced data drift and improved confidence at go-live.

9) Tooling Choices and Validation Gaps

Using the wrong tool or skipping validation causes rework.

Issue: One-size-fits-all tools fail for complex scenarios.
Issue: No acceptance testing means issues surface after go-live.
Fix: Pilot with representative sites, compare item counts, metadata, permissions, and versions. Automate reports to spot deltas.
Example: A pilot revealed missing term sets, preventing a broad failure during full migration.

Practical Checklist to Minimize SharePoint Migration Issues

Plan: Define scope, timelines, success criteria, and rollback paths.
Discover: Inventory content, customizations, permissions, and dependencies.
Clean: Remove ROT, fix names, reduce path length, standardize structure.
Align: Rebuild information architecture, term store, and compliance policies first.
Migrate: Use batch strategies, schedule off-peak, and run deltas.
Validate: Verify counts, versions, metadata, links, and permissions.
Adopt: Train users, update documentation, and monitor support tickets.

Key Takeaway

Most SharePoint migration issues stem from inadequate discovery, unsupported customizations, and weak validation. By cleaning data, mapping permissions and metadata, planning for modern features, and executing a phased, validated approach, you can deliver a smooth transition that users trust.

Knowledge Agent in SharePoint: What It Is, How It Works, and How to Set It Up

What is the Knowledge Agent in SharePoint?

The term Knowledge Agent in SharePoint generally refers to an AI-powered assistant that uses your SharePoint content to answer questions, surface insights, and streamline knowledge discovery while respecting permissions. In practice, this is often implemented with Microsoft 365 Copilot, Microsoft Search, and optional add-ons like Viva Topics and SharePoint Premium to organize, retrieve, and generate responses grounded in your SharePoint sites, libraries, and lists.

Why organizations use a Knowledge Agent in SharePoint

Faster answers: Teams get instant, permission-trimmed answers from policies, SOPs, and project docs.
Reduced duplicate work: Surfaces existing assets so people reuse content instead of recreating it.
Consistent knowledge: Standardizes responses based on authoritative sources and metadata.
Better onboarding: New hires find tribal knowledge and how-to guidance quickly.

How a Knowledge Agent in SharePoint works

Grounded retrieval: Uses Microsoft Search and Graph signals to find the most relevant SharePoint items the user can access.
Security trimming: Answers are constrained by the user’s existing permissions; blocked content is never exposed.
Metadata and taxonomy: Columns, content types, and terms improve ranking, relevance, and summarization quality.
Optional enrichment: Viva Topics builds topic pages; SharePoint Premium (formerly Syntex) can auto-classify and extract metadata.

Common scenarios and example prompts

Policy and compliance

Ask: “Summarize our travel reimbursement policy and list required receipts.” The agent retrieves the latest policy page or PDF from the HR site and provides a concise, cited summary.

Project knowledge

Ask: “What are the milestones and risks for Project Orion?” The agent compiles milestones from a SharePoint list and risks from a project wiki, linking back to the sources.

Customer support

Ask: “How do I troubleshoot a failed connector?” The agent surfaces a step-by-step SOP from a knowledge library and highlights escalation paths.

Setting up a Knowledge Agent using SharePoint as the knowledge base

Confirm data foundations: Store authoritative documents in SharePoint with clear naming, versioning, and owners.
Structure content: Use content types, columns, and taxonomy for policies, procedures, and FAQs.
Enable enterprise search: Ensure SharePoint content is indexed and accessible via Microsoft Search.
Optional Copilot configuration: If you use Microsoft 365 Copilot or Copilot Studio, connect SharePoint sites as data sources so the agent can retrieve and ground answers.
Define scope and guardrails: Limit the agent to curated sites and libraries; maintain a whitelist of trusted sources.
Pilot with a team: Start with HR, Finance, or Support to test quality, then expand organization-wide.

Best practices for high-quality answers

Keep content current: Archive superseded documents and set review cadences (e.g., quarterly).
Standardize titles and summaries: Add executive summaries and clear titles for better retrieval and summarization.
Use templates: Consistent templates for SOPs, FAQs, and runbooks improve answer reliability.
Govern metadata: Apply required columns (owner, effective date, version) and managed terms.
Citations and links: Ensure the agent returns links to source files so users can verify details.
Measure and iterate: Track unanswered queries and refine content to close gaps.

Security, compliance, and governance

Respect permissions: The agent inherits SharePoint and Microsoft 365 permissions; avoid broad site access unless necessary.
Label sensitive content: Use sensitivity labels and DLP policies to prevent oversharing.
Audit and monitoring: Review logs and analytics to ensure the agent performs as intended.

Troubleshooting relevance and quality

Low-quality answers: Improve source documents, add summaries, and use clearer titles/headers.
Missing files: Confirm search indexing is enabled and the site/library is in scope.
Outdated information: Retire old versions and highlight the latest approved document.
No citations: Prefer storing authoritative content in SharePoint pages or modern libraries with metadata and avoid scattered personal file shares.

Frequently asked questions

Does the Knowledge Agent access everything in SharePoint?

No. It only accesses what a user is already permitted to see, honoring security trimming.

Do we need Viva Topics or SharePoint Premium?

Not required, but they enhance organization and metadata extraction, which can improve answer quality.

Can we limit the agent to specific sites?

Yes. Scope the agent to selected SharePoint sites and libraries to keep answers trustworthy and on-topic.

How do we keep knowledge fresh?

Assign content owners, add review schedules, and monitor unanswered queries to guide updates.

Getting started

Identify your top knowledge scenarios, curate authoritative SharePoint libraries, and pilot a scoped Knowledge Agent in SharePoint. With strong information architecture and governance, you’ll deliver faster, more accurate answers at scale—without compromising security.

Thursday, 15 January 2026

Const vs readonly in C#: Practical Rules, .NET 8 Examples, and When to Use Each

Const vs readonly in C#: use const for compile-time literals that never change and readonly for runtime-initialized values that should not change after construction. This article shows clear rules, .NET 8 examples with Dependency Injection, and production considerations so you pick the right tool every time.

The Problem

Mixing const and readonly without intent leads to brittle releases, hidden performance costs, and binary-compatibility breaks. You need a simple, reliable decision framework and copy-paste-ready code that works in modern .NET 8 Minimal APIs with DI.

Prerequisites

.NET 8 SDK: Needed to compile and run the Minimal API and C# 12 features.
An editor (Visual Studio Code or Visual Studio 2022+): For building and debugging the examples.
Azure CLI (optional): If you apply the security section with Managed Identity and RBAC for external configuration.

The Solution (Step-by-Step)

1) What const means

const is a compile-time constant. The value is inlined at call sites during compilation.
Only allowed for types with compile-time constants (primitive numeric types, char, bool, string, and enum).
Changing a public const value in a library can break consumers until they recompile, because callers hold the old inlined value.

// File: AppConstants.cs
namespace MyApp;

// Static class is acceptable here because it only holds constants and does not manage state or dependencies.
public static class AppConstants
{
    // Compile-time literals. Safe to inline and extremely fast to read.
    public const string AppName = "OrdersService";    // Inlined at compile-time
    public const int DefaultPageSize = 50;             // Only use if truly invariant
}

2) What readonly means

readonly fields are assigned exactly once at runtime: either at the declaration or in a constructor.
Use readonly when the value is not known at compile-time (e.g., injected through DI, environment-based, or computed) but must not change after creation.
static readonly is runtime-initialized once per type and is not inlined by callers, preserving binary compatibility across versions.

// File: Slug.cs
namespace MyApp;

// Simple immutable value object using readonly field.
public sealed class Slug
{
    public readonly string Value; // Assigned once; immutable thereafter.

    public Slug(string value)
    {
        // Validate then assign. Once assigned, cannot change.
        Value = string.IsNullOrWhiteSpace(value)
            ? throw new ArgumentException("Slug cannot be empty")
            : value.Trim().ToLowerInvariant();
    }
}

3) Prefer static readonly for non-literal shared values

Use static readonly for objects like Regex, TimeSpan, Uri, or configuration-derived values that are constant for the process lifetime.

// File: Parsing.cs
using System.Text.RegularExpressions;

namespace MyApp;

public static class Parsing
{
    // Compiled Regex cached for reuse. Not a compile-time literal, so static readonly, not const.
    public static readonly Regex SlugPattern = new(
        pattern: "^[a-z0-9-]+$",
        options: RegexOptions.Compiled | RegexOptions.CultureInvariant
    );
}

4) Minimal API (.NET 8) with DI using readonly

// File: Program.cs
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.Extensions.Options;

namespace MyApp;

// Options record for settings that may vary by environment.
public sealed record PaginationOptions(int DefaultPageSize, int MaxPageSize);

// Service depending on options. Primary constructor for clarity.
public sealed class ProductService(IOptions<PaginationOptions> options)
{
    private readonly int _defaultPageSize = options.Value.DefaultPageSize; // readonly: set once from DI

    public IResult List(int? pageSize)
    {
        // Enforce immutable default from DI; callers can't mutate _defaultPageSize
        var size = pageSize is > 0 ? pageSize.Value : _defaultPageSize;
        return Results.Ok(new { PageSize = size, Source = "DI/readonly" });
    }
}

var builder = WebApplication.CreateBuilder(args);

// Bind options from configuration once. Keep them immutable after construction.
builder.Services.Configure<PaginationOptions>(builder.Configuration.GetSection("Pagination"));

// Register ProductService for DI.
builder.Services.AddSingleton<ProductService>();

var app = builder.Build();

// Use const for literal routes and tags: truly invariant strings.
app.MapGet("/products", (ProductService svc, int? pageSize) => svc.List(pageSize))
   .WithTags(AppConstants.AppName);

app.Run();

5) When to use which (decision rules)

Use const when: the value is a true literal that will never change across versions, and you accept inlining (e.g., mathematical constants, semantic tags, fixed route segments).
Use readonly when: the value is computed, injected, environment-specific, or may change across versions without forcing consumer recompilation.
Use static readonly for: reference types (Regex, TimeSpan, Uri) or structs not representable as compile-time constants, shared across the app.
Avoid public const in libraries for values that might change; prefer public static readonly to avoid binary-compat issues.

6) Performance and threading

const reads are effectively free due to inlining.
static readonly reads are a single memory read; their initialization is thread-safe under the CLR type initializer semantics.
RegexOptions.Compiled with static readonly avoids repeated parsing and allocation under load.

7) Advanced: readonly struct for immutable value types

Use readonly struct to guarantee all instance members do not mutate state and to enable defensive copies avoidance by the compiler.
Prefer struct only for small, immutable value types to avoid copying overhead.

// File: Money.cs
namespace MyApp;

public readonly struct Money
{
    public decimal Amount { get; }
    public string Currency { get; }

    public Money(decimal amount, string currency)
    {
        Amount = amount;
        Currency = currency;
    }

    // Methods cannot mutate fields because the struct is readonly.
    public Money Convert(decimal rate) => new(Amount * rate, Currency);
}

8) Binary compatibility and versioning

Public const values are inlined into consuming assemblies. If you change the const and do not recompile consumers, they keep the old value. This is a breaking behavior.
Public static readonly values are not inlined. Changing them in your library updates behavior without requiring consumer recompilation.
Guideline: For public libraries, avoid public const except for values guaranteed to never change (e.g., mathematical constants or protocol IDs defined as forever-stable).

9) Testing and static analysis

Roslyn analyzers: Enable CA1802 (use const) to suggest const when fields can be made const; enable IDE0044 to suggest readonly for fields assigned only in constructor.
CI/CD: Treat analyzer warnings as errors for categories Design, Performance, and Style to enforce immutability usage consistently.
Unit tests: Assert immutability by verifying no public setters exist and by attempting to mutate through reflection only in dedicated tests if necessary.

10) Cross-language note: TypeScript immutability parallel

If your stack includes TypeScript, mirror the C# intent with readonly and schema validation.

// File: settings.ts
// Strict typing; no 'any'. Enforce immutability on config and validate with Zod.
import { z } from "zod";

// Zod schema for runtime validation
export const ConfigSchema = z.object({
  apiBaseUrl: z.string().url(),
  defaultPageSize: z.number().int().positive(),
}).strict();

export type Config = Readonly<{
  apiBaseUrl: string;           // readonly by type
  defaultPageSize: number;      // readonly by type
}>;

export function loadConfig(env: NodeJS.ProcessEnv): Config {
  // Validate at runtime, then freeze object to mimic readonly semantics
  const parsed = ConfigSchema.parse({
    apiBaseUrl: env.API_BASE_URL,
    defaultPageSize: Number(env.DEFAULT_PAGE_SIZE ?? 50),
  });
  return Object.freeze(parsed) as Config;
}

Best Practices & Security

Best Practice: Use const only for literals that are guaranteed stable across versions. For anything configuration-related, prefer readonly or static readonly loaded via DI.
Best Practice: Static classes holding only const or static readonly are acceptable because they do not manage state or dependencies.
Security: If loading values from Azure services (e.g., Azure App Configuration or Key Vault), use Managed Identity instead of connection strings. Grant the minimal RBAC roles required: for Azure App Configuration, assign App Configuration Data Reader to the managed identity; for Key Vault, assign Key Vault Secrets User; for reading resource metadata, the Reader role is sufficient. Do not embed secrets in const or readonly fields.
Operational Safety: Avoid public const for values that may change; use public static readonly to prevent consumer inlining issues and to reduce breaking changes.
Observability: Expose configuration values carefully in logs; never log secrets. If you must log, redact or hash values and keep them in readonly fields populated via DI.

Summary

Use const for true compile-time literals that never change; prefer static readonly for public values to avoid consumer recompilation.
Use readonly (and static readonly) for runtime-initialized, immutable values, especially when sourced via DI or environment configuration.
Harden production: enforce analyzers in CI, adopt Managed Identity with least-privilege RBAC, and avoid embedding secrets or changeable values in const.