Over the past 13 years, I’ve worked across multiple organizations and industries, building enterprise systems at scale.

Here are key lessons from that journey.

1. Simplicity scales better than complexity

2. Understand the business before writing code

3. Architecture is about trade-offs

4. Performance and cost go hand-in-hand

5. Communication is as important as technical skills

6. Always design for change

7. Real-world systems are messy — embrace it

8. Learn continuously (especially with AI evolving)

9. Documentation matters

10. Build reusable patterns

11. Test assumptions early

12. Focus on impact, not just technology

13. Build something of your own (like JainKwiz)

Conclusion

Technology evolves, but fundamentals remain the same — clarity, simplicity, and purpose.

Example content

This post can be used as a template for future articles, and it shows how posts are rendered using the new theme layout.

• Item 1
• Item 2

Enjoy publishing content!

AI is rapidly transforming enterprise applications, and Microsoft Copilot Studio is at the center of this shift.

The Opportunity

Traditional CRM systems require manual navigation and data entry. Copilot introduces:

• Natural language interactions
• Automated workflows
• Intelligent insights

Architecture Pattern

A typical setup includes:

• Copilot Studio for conversational interface
• Dataverse for structured data
• Power Automate for workflows
• Azure OpenAI for intelligence

Use Cases

• Customer query resolution
• Automated case creation
• Intelligent recommendations

Key Benefits

• Reduced manual effort
• Improved user experience
• Faster decision-making

Conclusion

Copilot + D365 is not just an enhancement — it’s a shift toward AI-first enterprise applications.

SharePoint Framework (SPFx) is the modern way to extend SharePoint Online, Microsoft Teams, and Microsoft Viva Connections. After building SPFx solutions for clients including global financial organisations, logistics companies, and pharmaceutical firms — ranging from simple web parts to complex intranet platforms — I have a clear set of practices that separate production-quality work from prototype-quality work.

This post covers what I actually do in projects, not what the documentation suggests.

Project Structure That Scales

Most tutorials show you a single web part in a single file. Real projects have multiple web parts, shared components, custom hooks, and services. Your structure needs to support this from day one.

src/
├── webparts/
│   ├── myDashboard/
│   │   ├── MyDashboardWebPart.ts      # SPFx entry point
│   │   ├── components/
│   │   │   ├── MyDashboard.tsx        # Root component
│   │   │   ├── MyDashboard.module.scss
│   │   │   └── widgets/
│   │   │       ├── AnnouncementWidget.tsx
│   │   │       └── TaskWidget.tsx
│   │   └── hooks/
│   │       └── useDashboardData.ts
│   └── myForm/
│       └── ...
├── shared/
│   ├── components/               # Reusable UI components
│   │   ├── LoadingSpinner.tsx
│   │   ├── ErrorBoundary.tsx
│   │   └── UserCard.tsx
│   ├── hooks/                    # Shared custom hooks
│   │   ├── useGraphClient.ts
│   │   └── usePnP.ts
│   ├── services/                 # API and data services
│   │   ├── GraphService.ts
│   │   ├── SharePointService.ts
│   │   └── CacheService.ts
│   ├── models/                   # TypeScript interfaces
│   │   ├── IUser.ts
│   │   └── IAnnouncement.ts
│   └── utils/
│       ├── dateUtils.ts
│       └── permissions.ts
└── extensions/
    └── ...

The shared/ folder is the key. Any code used by more than one web part lives there. This prevents duplication and makes updates — especially to API services — a single change rather than a hunt across multiple web parts.

TypeScript — Use It Properly

SPFx has always supported TypeScript, but many codebases I inherit treat it like JavaScript with optional types. This misses the core benefit: catching errors at build time, not at runtime in production.

Rules I enforce:

// tsconfig.json additions
{
  "compilerOptions": {
    "strict": true,           // Enable all strict checks
    "noImplicitAny": true,    // No implicit any types
    "strictNullChecks": true, // Null and undefined must be handled explicitly
    "noUnusedLocals": true    // Catch dead code
  }
}

Model every API response:

// Don't do this
const getData = async (): Promise<any> => { ... }

// Do this
interface ISharePointListItem {
  Id: number;
  Title: string;
  Author: { Title: string; EMail: string };
  Created: string;
  Modified: string;
}

const getData = async (): Promise<ISharePointListItem[]> => { ... }

When a SharePoint column is renamed or removed, TypeScript will tell you at compile time. Without types, you find out when a production user sees undefined in their browser.

Microsoft Graph and PnPjs: Know When to Use Each

This is a question I get asked constantly. Both can access SharePoint data — the difference is about what you are doing:

// PnPjs: clean, typed, handles pagination automatically
import { spfi, SPFx } from "@pnp/sp";
import "@pnp/sp/lists";
import "@pnp/sp/items";

const sp = spfi().using(SPFx(this.context));

const items = await sp.web.lists
  .getByTitle("Announcements")
  .items
  .select("Id", "Title", "Body", "ExpiryDate")
  .filter("ExpiryDate ge datetime'" + new Date().toISOString() + "'")
  .orderBy("Created", false)
  .top(10)();

// Microsoft Graph: for M365 user data
import { MSGraphClientV3 } from "@microsoft/sp-http";

const client: MSGraphClientV3 = await this.context.msGraphClientFactory.getClient("3");
const me = await client.api("/me").select("displayName,mail,department").get();

Performance: The Problems Nobody Talks About

SPFx web parts run in an iFrame inside SharePoint. Every API call adds latency. Here is where performance is lost and how to recover it:

Problem 1: Waterfall API Calls

// BAD: sequential — each call waits for the previous
const user = await getUser();
const items = await getItems(user.id);
const metadata = await getMetadata(items[0].id);

// GOOD: parallel where possible
const [user, recentItems] = await Promise.all([
  getUser(),
  getRecentItems()
]);
const details = await getDetails(user.id, recentItems[0].id);

Problem 2: No Caching

SharePoint API calls from SPFx are expensive in latency terms. Cache aggressively for data that does not need to be real-time.

class CacheService {
  private static cache = new Map<string, { data: unknown; expiry: number }>();
  
  static async get<T>(
    key: string, 
    fetcher: () => Promise<T>, 
    ttlSeconds: number = 300
  ): Promise<T> {
    const cached = this.cache.get(key);
    if (cached && cached.expiry > Date.now()) {
      return cached.data as T;
    }
    
    const data = await fetcher();
    this.cache.set(key, { data, expiry: Date.now() + ttlSeconds * 1000 });
    return data;
  }
}

// Usage
const announcements = await CacheService.get(
  'announcements',
  () => sp.web.lists.getByTitle("Announcements").items.top(10)(),
  300 // 5 minute cache
);

Problem 3: Rendering Everything on Load

Use lazy loading for below-the-fold content. SPFx web parts are often positioned low on long SharePoint pages — do not fetch data until the user scrolls to them.

const IntersectionWrapper: React.FC<{ children: React.ReactNode }> = ({ children }) => {
  const [isVisible, setIsVisible] = React.useState(false);
  const ref = React.useRef<HTMLDivElement>(null);
  
  React.useEffect(() => {
    const observer = new IntersectionObserver(
      ([entry]) => { if (entry.isIntersecting) setIsVisible(true); },
      { threshold: 0.1 }
    );
    if (ref.current) observer.observe(ref.current);
    return () => observer.disconnect();
  }, []);
  
  return <div ref={ref}>{isVisible ? children : <Skeleton />}</div>;
};

Permissions and Security Content Security Policy (CSP)

SharePoint Online enforces a strict Content Security Policy (CSP). This breaks web parts that try to load external resources — scripts, fonts, images, API calls — without proper configuration.

Common CSP violations I see in production:

• Inline styles set via JavaScript (element.style.cssText = ...)
• External Google Fonts loaded via <link> in web part HTML
• Direct calls to third-party APIs without proper CORS headers

Solutions:

// Use CSS modules or SCSS — never inline styles
import styles from './MyWebPart.module.scss';
// <div className={styles.container}>...

// Load external fonts via the SPFx loadScript API, not inline
import { SPComponentLoader } from "@microsoft/sp-loader";

SPComponentLoader.loadCss("https://fonts.googleapis.com/css2?family=Inter:wght@400;600&display=swap");

For custom API endpoints, configure CORS properly on your Azure Function or API:

// Azure Function CORS (via host.json or Azure Portal)
// host.json
{
  "extensions": {
    "http": {
      "routePrefix": "api",
      "cors": {
        "allowedOrigins": [
          "https://<tenant>.sharepoint.com"
        ]
      }
    }
  }
}

Error Handling and Telemetry

Production SPFx web parts must handle errors gracefully and surface actionable information. A blank white box with no explanation destroys user trust.

class ErrorBoundary extends React.Component<
  { children: React.ReactNode; webPartTitle: string },
  { hasError: boolean; error?: Error }
> {
  state = { hasError: false };
  
  static getDerivedStateFromError(error: Error) {
    return { hasError: true, error };
  }
  
  componentDidCatch(error: Error, info: React.ErrorInfo) {
    // Log to Application Insights
    appInsights.trackException({ 
      exception: error,
      properties: { webPart: this.props.webPartTitle, componentStack: info.componentStack }
    });
  }
  
  render() {
    if (this.state.hasError) {
      return (
        <div className={styles.errorState}>
          <Icon iconName="ErrorBadge" />
          <Text>Something went wrong loading {this.props.webPartTitle}.</Text>
          <Text variant="small">Please refresh the page or contact support.</Text>
        </div>
      );
    }
    return this.props.children;
  }
}

I connect every production SPFx solution to Azure Application Insights. Page load times, API call durations, and JavaScript exceptions are tracked automatically. When a client reports “the web part is broken,” I can pinpoint the cause before they finish the sentence.

Deployment and Solution Packaging

Always use tenant-scoped deployment for shared components. Site-scoped deployment requires manual activation on every site — this is unmaintainable at scale.

In package-solution.json:

{
  "solution": {
    "name": "ACME-Intranet",
    "id": "...",
    "version": "1.0.0.0",
    "includeClientSideAssets": true,
    "skipFeatureDeployment": true    // Tenant-wide deployment
  },
  "paths": {
    "zippedPackage": "solution/acme-intranet.sppkg"
  }
}

Versioning: Increment the version in package-solution.json on every deployment. SharePoint uses this to decide whether to update cached assets. Without version bumps, users may see stale JavaScript long after you deploy a fix.

Accessibility

SharePoint intranets serve everyone — including users with accessibility needs. SPFx solutions are subject to WCAG 2.1 AA requirements at most enterprise clients.

Non-negotiables I include in every project:

// Keyboard navigation and ARIA labels
<button
  aria-label="Open announcements panel"
  onClick={openPanel}
  onKeyDown={(e) => e.key === 'Enter' && openPanel()}
>
  <Icon iconName="News" aria-hidden="true" />
</button>

// Focus management when panels open
React.useEffect(() => {
  if (isPanelOpen) {
    panelTitleRef.current?.focus();
  }
}, [isPanelOpen]);

// Sufficient colour contrast — use Fluent UI theme tokens
// Don't hard-code colors; use var(--neutralPrimary) etc.

Run Accessibility Insights for Web (Microsoft’s free tool) on every web part before release. It catches the majority of issues before a manual audit.

A Note on Keeping Up

SPFx evolves rapidly. The team ships major framework updates that change how properties, contexts, and APIs work. The mistakes I see most often in inherited projects:

• Using deprecated sp-pnp-js v2 (current is @pnp/sp v4)
• Using the old GraphHttpClient instead of MSGraphClientV3
• Not updating the SPFx yeoman generator before scaffolding new projects

Sign up for the Microsoft 365 Developer Blog and the SPFx release notes. SPFx updates rarely break existing solutions — but staying current means accessing performance improvements and new APIs as they ship.

Conclusion

SPFx development at enterprise scale requires disciplined structure, typed APIs, performance awareness, and production-grade error handling from the start. The shortcuts that seem convenient during development always surface as maintenance problems after go-live.

The best SPFx codebase I have worked on had these properties: a clear shared component library, every API call cached appropriately, full TypeScript coverage, and Application Insights on every production deployment. When something broke, we found it in our monitoring before the client found it in production. That is the standard to aim for.

After 13 years of building enterprise software for other people’s organisations, I did something that felt both obvious and terrifying: I built something of my own.

JainKwiz is a gamified learning platform for Jain philosophy — real-time multiplayer quiz tournaments, leaderboards, AI-assisted learning, and a progressive web app that runs beautifully on any device. It is live, it has real users, and it has taught me more about software product thinking in one year than most of my enterprise career combined.

This is the story of that build — the architecture choices, the surprises, and the lessons that changed how I think about software.

Why JainKwiz?

The Jain community has a rich tradition of religious education through Pathshalas (community schools). Children learn Jain scripture, history, philosophy, and practice — but mostly through textbooks, rote memorisation, and periodic tests. Engagement is a constant challenge, especially for younger generations growing up with smartphones and short attention spans.

I saw a real problem: meaningful content, motivated teachers, but a delivery mechanism stuck in the 1980s. The technology to fix this already existed. I just needed to build the bridge.

The mission became clear: make Jain education as engaging as Duolingo and as competitive as a game, while preserving the depth and authenticity of the tradition.

Architecture Decisions (and Why I Made Them)

Frontend: React + Ionic

I chose React with Ionic because I needed one codebase that could serve a mobile-quality experience on both iOS-like and Android-like surfaces, plus the web — without going the full React Native route with its native build complexity.

Ionic gives you native-feeling UI components (bottom tabs, swipeable sheets, haptic feedback patterns) that compile as a Progressive Web App. Users install JainKwiz to their home screen and get an experience that feels native. No app store friction. No review delays. Instant updates.

// Tournament lobby with real-time participant list
const TournamentLobby = ({ tournamentId }: Props) => {
  const { participants, isConnected } = useSignalR(tournamentId);
  
  return (
    <IonPage>
      <IonContent>
        <ParticipantList participants={participants} />
        <ConnectionStatus connected={isConnected} />
        {isHost && <StartTournamentButton tournamentId={tournamentId} />}
      </IonContent>
    </IonPage>
  );
};

What I would change: I underestimated the complexity of managing Ionic’s navigation stack alongside React Router. If I were starting again I would evaluate whether a simple React + Tailwind PWA would have been simpler to maintain without meaningfully sacrificing UX quality.

Real-time: Azure SignalR Service

The live tournament feature — where 20 people simultaneously answer the same question within a 15-second window — required genuine real-time infrastructure. I evaluated WebSocket libraries, Pusher, Socket.io (self-hosted), and Azure SignalR.

Azure SignalR won because:

• Serverless mode integrates cleanly with Azure Functions (no persistent server required)
• It scales automatically across WebSocket connections
• The Azure Functions trigger/binding system handles negotiation and message dispatch without boilerplate
• It fits the Azure Free tier for development and is cost-predictable in production

// Azure Function: broadcast next question to tournament room
[FunctionName("BroadcastQuestion")]
public static async Task Run(
    [TimerTrigger("*/15 * * * * *")] TimerInfo timer,
    [SignalR(HubName = "tournament")] IAsyncCollector<SignalRMessage> signalRMessages,
    ILogger log)
{
    var activeTournaments = await _tournamentService.GetActiveAsync();
    
    foreach (var tournament in activeTournaments)
    {
        var nextQuestion = await _questionService.GetNextAsync(tournament.Id);
        
        await signalRMessages.AddAsync(new SignalRMessage
        {
            GroupName = tournament.Id,
            Target = "nextQuestion",
            Arguments = new[] { nextQuestion }
        });
    }
}

Database: Cosmos DB

I chose Cosmos DB because the data access patterns for JainKwiz are heavily read-biased and document-oriented:

• Quiz questions with rich metadata (category, difficulty, language, tags)
• User profiles with gamification state (XP, level, streak, badges)
• Tournament sessions with participant lists and scores
• Leaderboard snapshots at weekly and global scopes

The partition key design was the hardest decision. I ended up with:

Cosmos DB’s free tier (1000 RU/s, 25GB) covers JainKwiz’s current scale comfortably. The serverless tier is an option for bursty workloads — I am evaluating the switch for the seasonal event peaks (Paryushana, Diwali).

Gamification: SM-2 Spaced Repetition

One feature I am particularly proud of is the spaced repetition engine built on the SM-2 algorithm. Rather than showing users random questions, JainKwiz adapts to their performance — questions they struggle with appear more frequently; mastered questions space out over days and weeks.

function calculateNextReview(card, quality) {
  // quality: 0-5 (0=blackout, 5=perfect)
  if (quality < 3) {
    return { interval: 1, easeFactor: Math.max(1.3, card.easeFactor - 0.2) };
  }
  
  const newEaseFactor = card.easeFactor + (0.1 - (5 - quality) * (0.08 + (5 - quality) * 0.02));
  const newInterval = card.repetitions === 0 ? 1
    : card.repetitions === 1 ? 6
    : Math.round(card.interval * newEaseFactor);
  
  return {
    interval: newInterval,
    easeFactor: Math.max(1.3, newEaseFactor),
    repetitions: card.repetitions + 1,
    nextReview: addDays(new Date(), newInterval)
  };
}

Users do not know they are interacting with an algorithm — they just feel like JainKwiz “knows” what they need to study. That invisibility is good product design.

What Enterprise Work Did Not Prepare Me For

1. You are the product manager, designer, developer, and support team

In enterprise work, there is always a business analyst, a project manager, a dedicated designer, and a QA team. Building JainKwiz solo meant making every product decision myself — and living with the consequences.

The hardest decisions were not technical. They were:

• Which features to build first (and which 20 features to say no to)
• How to structure the onboarding so a 12-year-old from Jalgaon can use it without instructions
• Whether to add Hindi language support immediately or defer it

These decisions have no correct answer and no senior stakeholder to escalate to. You just decide, ship, and learn.

2. Real users are brutally honest

Enterprise users are polite in feedback sessions. Real users either use your app or they do not. Retention numbers tell you the truth that user interviews sometimes hide.

My first version had a beautiful UI but the quiz flow had three taps too many before reaching the first question. Retention at day 3 was poor. I removed the friction, retention improved. No amount of stakeholder presentations would have taught me that — only shipping and measuring did.

3. Cost is not a rounding error

In enterprise projects, cloud spend is somebody else’s budget line. When it is your Azure subscription and your credit card, every resource decision becomes real.

I rewrote my indexing pipeline three times to reduce Azure Function invocation costs. I switched from Azure Blob Storage triggers (which poll constantly) to Event Grid triggers (which fire only on change). I moved from Cosmos DB provisioned throughput to serverless to cut idle costs by 80%.

This cost-consciousness has made me a better architect for enterprise clients — I now challenge provisioned capacity assumptions that previously felt unimportant.

4. Content is as hard as code

Building the question database was underestimated. Good quiz questions require:

• Factual accuracy (which means expert review by community knowledge-holders)
• Appropriate difficulty calibration
• Language sensitivity (Jain terminology varies across regional traditions)
• Diversity of question format (not just multiple choice)

I ended up building a separate question editor and review workflow — effectively a mini CMS — so trusted community contributors can submit and review questions. This content infrastructure took longer than the gamification engine.

The AI Layer

JainKwiz has an AI chatbot powered by Azure OpenAI (GPT-4o) that users can ask questions about Jain philosophy. The chatbot is grounded on a curated knowledge base of Jain texts and explanations — a RAG implementation similar to what I described in my earlier post on SharePoint RAG pipelines.

User: "What is the difference between Digambara and Shvetambara?"
Bot: [Retrieves relevant context from Jain knowledge base]
     "The Digambara and Shvetambara are the two main sects of Jainism..."
     [Cited from: Jain Philosophy Fundamentals, Chapter 3]

The grounding is critical — the general LLM has surface-level knowledge of Jainism but makes errors on specific philosophical points, canonical texts, and practice differences. The curated knowledge base corrects this.

JainKwiz as a Mirror

The most unexpected outcome of building JainKwiz has been what it taught me about my enterprise work.

When I design a feature for JainKwiz, I am the user. I feel the friction. I experience the delight. I understand why decisions matter. In enterprise work, the feedback loop is longer and often filtered through multiple layers.

Building JainKwiz made me a better architect. I question default assumptions more. I care more about what users actually experience rather than what the requirements document says. I design for change because I know I will need to change things.

If you are an enterprise developer considering building something of your own — I strongly encourage it. Pick a problem you care about, keep the scope small, and ship something real. The learning per hour invested will astonish you.

Current Status and What Is Next

JainKwiz is live at jainkwiz.com. Current features:

• Quiz engine with 500+ questions across 8 categories
• XP and level progression system
• Daily streaks and reminders
• Global and weekly leaderboards
• AI chatbot (beta)
• Jain festival calendar
• PWA (installable on home screen)

In progress:

• Live multiplayer tournaments (SignalR backend complete, frontend integration underway)
• Hindi language support
• Pathshala classroom mode (teacher dashboard + student roster)
• Mobile apps on Play Store / App Store via Capacitor

The classroom mode is the feature I am most excited about. It will let Pathshala teachers create assignments, track student progress, and run live class quiz sessions — bringing the technology directly into the community education system it was built to serve.

Conclusion

JainKwiz is my proof that an enterprise architect can build a real product, for real users, solving a real problem. It is not perfect — no product is. But it is live, it is growing, and it matters to the people who use it.

If you are from the Jain community and want to contribute questions, review content, or help with translations, please reach out. And if you want to know more about the technical architecture or the product journey, I would love to have that conversation.

The Power Platform democratises application development. That is both its greatest strength and its biggest operational challenge. After implementing governance frameworks for large global enterprises — including organisations with thousands of makers and hundreds of environments — I have seen what works and what creates expensive technical debt.

This post covers the governance patterns I rely on in production, moving from “anyone can build anything” chaos to a structured, secure, and scalable maker ecosystem.

Why Governance Cannot Be an Afterthought

Most organisations discover the need for Power Platform governance only after something goes wrong:

• A business-critical flow breaks and nobody knows who owns it
• Sensitive customer data flows through an unapproved connector to a personal OneDrive
• The default environment has 400 apps, 90% unmaintained, consuming capacity
• A maker leaves the company and their flows stop running because they were the only owner

These are not hypothetical scenarios — I have seen all of them firsthand. The good news is that Microsoft provides comprehensive tooling to prevent them. The bad news is that tooling requires deliberate configuration and a governance model to back it up.

The Governance Pillars

A mature Power Platform governance framework rests on four pillars:

┌─────────────────────────────────────────────────────────┐
│                  GOVERNANCE FRAMEWORK                   │
│                                                         │
│  1. Environment Strategy  │  2. Data Loss Prevention   │
│  ─────────────────────── │  ─────────────────────────  │
│  • Default isolation      │  • Connector classification │
│  • Dept environments      │  • Business / Non-Business  │
│  • Sandbox / Production   │  • Blocked connectors       │
│                           │                             │
│  3. CoE Starter Kit       │  4. ALM & DevOps           │
│  ─────────────────────── │  ─────────────────────────  │
│  • Inventory & visibility │  • Solution-based packaging │
│  • Compliance monitoring  │  • GitHub Actions CI/CD     │
│  • Maker enablement       │  • Managed environments     │
└─────────────────────────────────────────────────────────┘

Pillar 1: Environment Strategy

The most common mistake is allowing everything to happen in the default environment. This environment cannot be deleted and has relaxed defaults — it becomes a dumping ground.

My recommended environment topology:

Implementation via PowerShell / PAC CLI:

# Create a department environment with managed environment features
New-AdminPowerAppEnvironment `
  -DisplayName "Finance - Production" `
  -LocationName "unitedkingdom" `
  -EnvironmentSku Production `
  -ProvisionDatabase $true `
  -SecurityGroupId $financeGroupId

Managed Environments (premium) are essential at scale — they unlock usage insights, weekly digest emails to admins, and maker welcome content customisation.

Pillar 2: Data Loss Prevention (DLP) Policies

DLP policies are the security backbone of the platform. They control which connectors can work together, preventing data from leaking between trusted and untrusted services.

Three-tier classification:

• Business: SharePoint, Outlook, Teams, Dataverse, Azure services — approved for business data
• Non-Business: Personal OneDrive, Twitter, Google Sheets — cannot mix with Business connectors
• Blocked: Connectors that should never be used (e.g., certain social media platforms, shadow IT services)

DLP Policy Design Principles I follow:

1. Layer policies — apply a tenant-wide base policy, then environment-specific overrides. The most restrictive policy wins.
2. Block HTTP connector in production — the HTTP connector is an escape hatch that bypasses DLP entirely. Block it except in developer environments with explicit exception process.
3. Audit before enforcing — use audit mode first to understand the blast radius of a new DLP policy before enforcing it.

{
  "displayName": "Global Base Policy",
  "environments": { "filterType": "AllEnvironments" },
  "connectorGroups": [
    {
      "classification": "Confidential",
      "connectors": [
        { "id": "/providers/Microsoft.PowerApps/apis/shared_sharepointonline" },
        { "id": "/providers/Microsoft.PowerApps/apis/shared_office365" },
        { "id": "/providers/Microsoft.PowerApps/apis/shared_commondataservice" }
      ]
    },
    {
      "classification": "Blocked",
      "connectors": [
        { "id": "/providers/Microsoft.PowerApps/apis/shared_twitter" }
      ]
    }
  ]
}

Pillar 3: Centre of Excellence (CoE) Starter Kit

The CoE Starter Kit is a collection of Power Apps, Power Automate flows, and Power BI dashboards that give admins full visibility into what is happening across the tenant.

What it gives you out of the box:

• Inventory app: Every app, flow, maker, and connector across all environments
• Risk score: Automated risk assessment based on connector usage and sharing settings
• Compliance process: Makers receive automated emails asking them to justify their apps
• Maker onboarding: Guided training and self-service environment request process

What I customise in every deployment:

CoE Customisations:
├── Custom risk scoring weights (adjust for your data sensitivity)
├── Integration with ServiceNow / Jira for environment request approvals
├── Power BI executive dashboard (tenant health at a glance)
├── Automated orphaned resource cleanup (flows with no owners)
└── Custom welcome email with internal training links

A well-configured CoE shifts the admin from reactive firefighting to proactive quality management.

Pillar 4: ALM with Solutions and DevOps

Ungoverned apps are built directly in environments — no source control, no review, no deployment pipeline. The antidote is Solutions-based development combined with CI/CD.

The golden rule: if it matters, it is in a solution.

My standard ALM pipeline using GitHub Actions:

# .github/workflows/deploy-power-platform.yml
name: Deploy Power Platform Solution

on:
  push:
    branches: [main]

jobs:
  export-and-deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Install PAC CLI
        uses: microsoft/powerplatform-actions/actions-install@v1
      
      - name: Export solution from dev
        uses: microsoft/powerplatform-actions/export-solution@v1
        with:
          environment-url: $
          app-id: $
          client-secret: $
          solution-name: MyEnterpriseApp
          solution-output-file: solutions/MyEnterpriseApp.zip
          managed: false
      
      - name: Unpack solution
        uses: microsoft/powerplatform-actions/unpack-solution@v1
        with:
          solution-file: solutions/MyEnterpriseApp.zip
          solution-folder: src/MyEnterpriseApp
      
      - name: Import to production
        uses: microsoft/powerplatform-actions/import-solution@v1
        with:
          environment-url: $
          app-id: $
          client-secret: $
          solution-file: solutions/MyEnterpriseApp_managed.zip
          managed: true

Naming conventions I enforce:

Solution:  [OrgCode]_[Domain]_[AppName]_v[Major]
App:       [OrgCode]_[Domain]_[AppName]
Flow:      [OrgCode]_[Trigger]_[Action]_[Entity]
Table:     [orgcode]_[entityname]
Column:    [orgcode]_[columnname]

Consistent naming sounds trivial. After 18 months in a tenant with 500+ assets, it becomes the difference between a maintainable platform and an unmaintainable one.

Operational Playbook: Common Scenarios

Scenario 1: Maker wants to use an unapproved connector

Without governance: They figure out a workaround (HTTP connector, custom connector) or just use the free tier of the external service.

With governance: Submit a connector exception request via the CoE portal → admin review within 2 business days → approved connectors added to the relevant DLP policy → maker gets a notification.

Scenario 2: Critical flow breaks because the owner left

Without governance: Production outage. Nobody knows the credentials. Flow runs under a personal account.

With governance:

• All flows use service principal connections (not personal accounts)
• All flows have at least two owners
• Orphan detection in CoE alerts admins when a maker leaves
• Automated ownership transfer workflow triggered by HR offboarding

Scenario 3: Capacity planning for Dataverse

Without governance: You hit the Dataverse storage limit. Emergency purchase under pressure.

With governance:

• CoE reports monthly on storage trends per environment
• Alerts at 70% capacity thresholds
• Automated cleanup of completed flow run history (largest hidden storage consumer)

Metrics That Matter

After implementing governance, track these KPIs monthly:

The Cultural Side

Technology alone does not create a governed platform. The hardest part is always change management:

• Run Power Platform Office Hours — 30 minutes weekly where makers can get help. This surfaces governance friction early.
• Celebrate makers — a monthly “Power Platform showcase” where teams demo their apps builds positive culture around the platform.
• Self-service, not bureaucracy — make environment requests and DLP exceptions easy and fast. If the process is painful, makers go around it.

Conclusion

Power Platform governance is not about restricting innovation — it is about making innovation sustainable. The organisations that invest in governance early end up with a thriving, trusted maker ecosystem. Those that do not end up with a shadow IT problem disguised as digital transformation.

The pattern that works: strict defaults, easy exceptions, full visibility, and strong maker enablement. Start with the CoE Starter Kit, build your environment strategy, and layer DLP policies with care. The first 3 months of governance work will save years of remediation.

Retrieval-Augmented Generation (RAG) has emerged as the go-to pattern for grounding large language models in enterprise knowledge bases. After building several production RAG systems on Azure, I want to share the architecture decisions, pitfalls, and patterns that actually work in practice — specifically when SharePoint Online is your primary knowledge store.

Why RAG + SharePoint Makes Sense

Most enterprises already have years of institutional knowledge locked inside SharePoint — policies, procedures, project documentation, wikis, and more. The challenge has always been discoverability. People simply don’t know where to look, or the search results are too noisy to be useful.

RAG changes this fundamentally. Instead of keyword search, users ask natural language questions and get synthesised answers drawn directly from authoritative documents. When you pair this with SharePoint as the data source, you unlock:

• Existing governance — SharePoint permissions map naturally to RAG access control
• Familiar content management — content owners keep managing content as they always have
• M365 integration — surfaced inside Teams, Copilot Studio, or custom apps via Graph API

The Architecture

Here is the architecture I have deployed across multiple enterprise clients:

SharePoint Online
      │
      ▼
  MS Graph API  ←── delta queries for incremental sync
      │
      ▼
  Azure Function (Indexer)
      │
      ├── Chunk & clean text (overlap sliding window)
      ├── Generate embeddings (Azure OpenAI text-embedding-3-large)
      └── Upsert to Azure AI Search (vector + keyword hybrid index)
                          │
                          ▼
              Copilot Studio / Custom App
                          │
                          ├── User Query → Embedding
                          ├── Hybrid Search (vector + BM25)
                          ├── Rerank top-k results
                          └── Azure OpenAI GPT-4o (grounded prompt)
                                      │
                                      ▼
                              Cited Answer to User

Key components:

Step 1 — Indexing SharePoint Content

The indexer runs as an Azure Function on a timer trigger. It uses the Microsoft Graph API delta endpoint to fetch only files changed since the last run — this keeps costs low and indexing fast.

// Delta query to get changed SharePoint files
var deltaQuery = await _graphClient
    .Sites[siteId]
    .Drive.Root.Delta
    .GetAsDeltaGetResponseAsync(req =>
    {
        req.QueryParameters.Select = new[] { "id", "name", "lastModifiedDateTime", "file" };
    });

For each changed file I:

1. Download the content (PDF, DOCX, PPTX supported via Document Intelligence)
2. Split into overlapping chunks (600 tokens, 100 overlap — tuned empirically)
3. Generate embeddings with text-embedding-3-large
4. Upsert into Azure AI Search with metadata (file name, URL, last modified, SharePoint permissions)

Step 2 — Chunking Strategy Matters

This is where most RAG projects go wrong. Naive chunking by character count destroys semantic coherence. What I use:

• Semantic chunking: Split at paragraph and sentence boundaries, not arbitrary character counts
• Overlapping windows: 15–20% overlap ensures context isn’t lost at boundaries
• Metadata injection: Prepend document title and section heading to each chunk — this dramatically improves retrieval relevance
• Chunk size: 500–800 tokens for SharePoint content (policy docs, wikis). Smaller for Q&A content.

def chunk_document(text: str, title: str, section: str) -> list[str]:
    """Semantic chunking with metadata prefix."""
    sentences = split_by_sentence(text)
    chunks = []
    current = f"Document: {title}\nSection: {section}\n\n"
    
    for sentence in sentences:
        if token_count(current + sentence) > MAX_CHUNK_TOKENS:
            chunks.append(current.strip())
            # Overlap: keep last sentence
            current = f"Document: {title}\nSection: {section}\n\n{sentence} "
        else:
            current += sentence + " "
    
    if current.strip():
        chunks.append(current.strip())
    
    return chunks

Step 3 — Hybrid Retrieval in Azure AI Search

Pure vector search misses exact keyword matches. Pure keyword search misses semantic similarity. Hybrid search with Reciprocal Rank Fusion (RRF) gives the best of both worlds.

{
  "search": "leave policy maternity",
  "vectorQueries": [{
    "kind": "vector",
    "vector": [/* query embedding */],
    "fields": "contentVector",
    "k": 50
  }],
  "queryType": "semantic",
  "semanticConfiguration": "my-semantic-config",
  "select": "title, content, sourceUrl, permissions",
  "top": 5
}

The semanticConfiguration enables Azure AI Search’s built-in re-ranking model, which re-scores the top 50 results using a cross-encoder. This two-stage retrieval (vector → rerank) consistently outperforms single-stage approaches.

Step 4 — Permission-Aware Retrieval

This is critical in enterprise settings and often overlooked in tutorials. Users must only get answers based on content they are permitted to see. I handle this by:

1. Storing SharePoint permission groups alongside each chunk in the index
2. Passing the user’s group memberships (from Graph API) as a filter at query time

var filter = $"permissions/any(p: p eq '{string.Join("' or p eq '", userGroups)}')";

This ensures the RAG system respects existing SharePoint governance — no re-implementation of access control needed.

Step 5 — Grounded Prompt Engineering

The system prompt is critical. A few principles that work well:

You are an enterprise knowledge assistant. Answer questions based ONLY on the 
provided context documents. 

Rules:
- Always cite the source document name and URL for every fact you state
- If the context does not contain enough information, say so clearly
- Never make up information or use knowledge outside the provided context
- Respond in the same language as the user's question

Forcing citations reduces hallucination and builds user trust. When the answer references a specific SharePoint page, users can click through to the source — this is the enterprise trust signal that matters most.

Performance and Cost Optimisation

After running these systems in production for several months:

• Embedding model: text-embedding-3-large over ada-002 — better retrieval quality for approximately the same cost
• Caching: Cache embeddings for unchanged chunks — the majority of re-indexing runs touch <5% of content
• Batch embedding: Use Azure OpenAI batch API for bulk indexing (60–70% cost reduction vs. real-time)
• Index partitioning: Partition the search index by SharePoint site — enables independent scaling and faster tenant-scoped queries

What I Would Do Differently

1. Start with Semantic Kernel — do not hand-roll the orchestration. SK’s memory and plugin abstractions save weeks of plumbing
2. Instrument from day one — log retrieval scores, user feedback, and latency. You cannot improve what you cannot measure
3. Test with real user queries — the queries people actually ask are very different from what developers imagine during build
4. Plan for document lifecycle — deleted documents must be removed from the index. Delta sync covers updates but not deletions without explicit handling

Conclusion

RAG on SharePoint is one of the highest-ROI AI investments an enterprise can make. The knowledge is already there — it just needs to be made accessible. The architecture I have outlined is production-tested, permission-aware, and cost-efficient. The key differentiator is treating chunking, retrieval quality, and citation as first-class concerns rather than afterthoughts.

If you are building something similar or have questions about scaling this pattern, feel free to reach out — I am always happy to discuss enterprise AI architecture.