Microsoft Cloud for Manufacturing — Industry Cloud Hub (2026)
Microsoft Cloud for Manufacturing Enterprise Guide (2026)
How industrial enterprises deploy Microsoft Cloud for Manufacturing end-to-end — Smart Factory Agents, the Factory Operations Agent, Connected Factory and Connected Worker, Microsoft Cloud for Sustainability, and Dynamics 365 Supply Chain Management and Finance and Operations — with Azure IoT Operations at the edge, SAP S/4HANA coexistence via Fabric mirror, AI-driven quality inspection, ISA-95 and ISA/IEC 62443 (ISA-99) discipline, and audit-ready governance.
Published 2026-06-16 · Microsoft Solutions Partner — six designations · 4× Microsoft Press bestselling author · Nearly three decades of Microsoft consulting delivery
Microsoft Cloud for Manufacturing bundles Smart Factory Agents, the Factory Operations Agent, Connected Factory and Connected Worker, Microsoft Cloud for Sustainability, and Dynamics 365 SCM and F&O on Azure IoT Operations at the edge and the Microsoft Fabric manufacturing lakehouse in the cloud. EPC Group delivers a fixed-fee, milestone-priced five-phase Manufacturing Cloud Accelerator from $350K to $1.5M with ISA-95, ISA-99, and named regulatory-overlay discipline.
Key Facts
- EPC Group is a Microsoft Solutions Partner with six designations and nearly three decades of Microsoft consulting delivery since 1997.
- 11,000+ Microsoft engagements completed across 70+ Fortune 500 organizations.
- Microsoft Cloud for Manufacturing bundles Smart Factory Agents, the Factory Operations Agent, Connected Factory and Connected Worker, Microsoft Cloud for Sustainability, and Dynamics 365 SCM and F&O.
- Six named enterprise use cases — predictive maintenance, OEE optimization, shop-floor connectivity, quality inspection AI, supplier collaboration, and sustainability reporting — each with named Microsoft Cloud for Manufacturing surfaces.
- 500+ Microsoft Fabric implementations and 1,500+ Power BI deployments — both extend naturally into the Fabric manufacturing lakehouse and the manufacturing Power BI semantic models.
- Azure IoT Operations on an Azure Arc-enabled Kubernetes edge cluster is the sanctioned shop-floor connectivity pattern, with local store-and-forward across WAN-outage windows and Defender for IoT watching the OT/IT conduit.
- SAP S/4HANA coexistence is handled by the Microsoft Fabric SAP mirror — Microsoft Cloud for Manufacturing AI and analytics surfaces ground on the mirror, never against the SAP transactional system of record.
- Compliance coverage spans HIPAA, SOC 2, FedRAMP, FINRA, CMMC, GxP — with ISA-95, ISA/IEC 62443 (ISA-99), AS9100, GxP, FDA 21 CFR Part 11, ITAR/EAR, CSRD, ESRS, and SEC climate disclosure mapped to the Purview taxonomy at engagement kick-off.
The Five Microsoft Cloud for Manufacturing Components
Microsoft Cloud for Manufacturing is not a single product. It is an industry-specific bundling of five named components, each with a distinct purpose in the industrial-enterprise stack. The deployment plan names which components are in scope, which are deferred, and which are out of scope before any provisioning happens — and the OT/IT boundary placement is signed off before the first edge cluster lands at the plant.
Smart Factory Agents — Copilot for plant operations
Smart Factory Agents are the Microsoft Cloud for Manufacturing surface that brings Copilot grounding directly into plant-floor operations. The agents reason over the conformed manufacturing lakehouse in Microsoft Fabric — production orders, downtime events, OEE telemetry, maintenance work orders, quality non-conformances, and supplier confirmations — and surface answers inside Microsoft 365, Teams, and the Power Apps shop-floor shell. The agents respect the ISA-95 Level 3 manufacturing-execution-system boundary and never write back into a control loop, but they do let a plant manager ask "why did line three lose seven points of OEE last shift" and receive a sourced, citable, named-evidence answer in seconds.
Named capabilities
- Copilot grounding catalog scoped to the conformed manufacturing lakehouse in Microsoft Fabric with named sensitivity labels per dataset
- Plant-floor Q-and-A surface inside Microsoft 365, Teams, and the Power Apps shop-floor shell — read-only on the manufacturing-execution-system boundary
- Named guardrails for control-loop safety — agents never write to programmable-logic-controller or distributed-control-system registers, and the guardrails are enforced declaratively in Copilot Studio
- Sentinel audit trail of every plant-floor prompt with seven-year retention indexed by user, grounding source, prompt category, and asset hierarchy
Factory Operations Agent — production, quality, maintenance
The Factory Operations Agent is the Microsoft Cloud for Manufacturing component that anchors the cross-functional plant view — production scheduling and execution, quality non-conformance triage, preventive and predictive maintenance work-order flow, and supplier deviation handling. The agent runs against the Dynamics 365 Supply Chain Management production-order model, the Fabric manufacturing medallion architecture, and the Azure IoT Operations telemetry plane, with named hand-offs to the manufacturing-execution-system layer. The component answers the plant-leadership questions that used to require three reports and a stand-up meeting — first-pass yield, schedule attainment, mean-time-between-failure, and supplier on-time-in-full — from one consented data surface.
Named capabilities
- Native integration into Dynamics 365 Supply Chain Management production orders, batch attributes, and quality-management non-conformances
- OEE, schedule-attainment, first-pass-yield, and mean-time-between-failure surfaces wired to the Fabric manufacturing lakehouse gold layer
- Preventive and predictive maintenance work-order flow with named hand-off into Dynamics 365 Field Service or the resident enterprise asset management system
- Supplier deviation handling with consented hand-off to Dynamics 365 Intelligent Order Management and the Power Apps supplier portal
Connected Factory + Connected Worker
Connected Factory is the data-plane component that aggregates plant-floor telemetry from programmable logic controllers, supervisory control and data acquisition historians, edge gateways, and manufacturing-execution-system events into one Azure-IoT-Operations-anchored ingestion fabric. Connected Worker is the front-line workforce component that surfaces work instructions, digital standard operating procedures, safety briefings, and Teams-Walkie-Talkie-grade communications to a ruggedized device on the line. Together they close the gap between control-systems data and front-line decisions — without breaking the ISA-99 zone-segmentation model that the operational-technology security team relies on.
Named capabilities
- Azure IoT Operations data-plane ingestion from OPC UA, MQTT, and Sparkplug B with Azure Arc-enabled edge runtime at the plant
- Conformed manufacturing event model that aligns to the ISA-95 Part 1 hierarchy — enterprise, site, area, work center, work unit
- Connected Worker on Microsoft 365 with digital standard operating procedures, Teams Walkie Talkie, Viva Connections briefings, and ruggedized Surface and Android device pattern
- Power Apps shop-floor shell for andon, downtime reason coding, defect capture, and changeover checklists — offline-capable for the line
Microsoft Cloud for Sustainability — manufacturing emissions
Microsoft Cloud for Sustainability is the Microsoft Cloud for Manufacturing companion component that quantifies and reports Scope 1, Scope 2, and Scope 3 emissions against named regulatory and voluntary frameworks — the EU Corporate Sustainability Reporting Directive (CSRD) and the European Sustainability Reporting Standards, the US Securities and Exchange Commission climate disclosure rule, the Task Force on Climate-related Financial Disclosures, and the Carbon Border Adjustment Mechanism. The component reads from the conformed manufacturing lakehouse, the enterprise resource planning system, the energy-management system, and the supplier-engagement portal, then publishes the audit-ready disclosure file with the documented assurance package the third-party assurance provider needs.
Named capabilities
- Conformed Scope 1, Scope 2, and Scope 3 emissions model that reads from the Fabric manufacturing lakehouse, the ERP, the energy-management system, and the supplier-engagement portal
- Audit-ready disclosure file generation for CSRD and ESRS, the US SEC climate disclosure rule, TCFD, and the Carbon Border Adjustment Mechanism
- Supplier-engagement Power Pages portal with consented Scope 3 data exchange and supplier-attestation workflow
- Energy-intensity, water-intensity, and waste-intensity Power BI dashboards anchored on the manufacturing gold layer with row-level security tied to the site organization model
Dynamics 365 Supply Chain Management + Finance and Operations
Dynamics 365 Supply Chain Management and Dynamics 365 Finance and Operations are the enterprise resource planning anchor for Microsoft Cloud for Manufacturing — and the gravity well for the conformed master-data and transaction model that the rest of the industry cloud snaps to. The SCM module covers the production-order model, batch and serial attributes, inventory and warehouse management, demand and supply planning, and the quality-management non-conformance model. The F&O module covers the general ledger, the fixed-asset book, accounts payable, accounts receivable, and the cost-accounting model. Both modules sit on the Dataverse and emit the conformed event stream the Fabric manufacturing medallion architecture consumes.
Named capabilities
- Dynamics 365 SCM production orders, batch and serial attributes, inventory, warehouse management, and demand-and-supply planning on Dataverse
- Dynamics 365 F&O general ledger, fixed-asset book, accounts payable and receivable, and cost-accounting model on Dataverse
- Conformed event stream into the Fabric manufacturing medallion architecture — bronze ingest, silver conform, gold publish
- Dynamics 365 Intelligent Order Management bridge into the supplier-engagement portal and the customer-orderbook surface
Six Enterprise Use Cases — Architecture Briefings
Six use cases account for the overwhelming majority of Microsoft Cloud for Manufacturing enterprise deployments today. Every use case names the Microsoft surfaces in scope, the OT/IT boundary placement, and the data flow end-to-end. No use case is invented at engagement kick-off — the architecture is anchored on the named pattern before the first ticket is opened.
Predictive maintenance — asset-health early warning
Predictive maintenance fuses programmable-logic-controller telemetry, supervisory-control-and-data-acquisition historians, manufacturing-execution-system event logs, and computerized-maintenance-management-system work-order history into a Fabric manufacturing lakehouse that scores every named asset for impending failure. The EPC pattern lands telemetry through Azure IoT Operations into the bronze layer, conforms asset hierarchy at the silver layer against the ISA-95 work-center model, and runs Fabric notebooks for vibration-, temperature-, and current-signature anomaly detection at the gold layer. The high-risk subset routes to Dynamics 365 Field Service or the resident enterprise-asset-management system through a named human-in-the-loop reviewer queue. Documented model governance, drift monitoring, and Sentinel audit retention apply end-to-end.
Microsoft surfaces in scope
- Azure IoT Operations data-plane ingestion of programmable-logic-controller, SCADA, and CMMS event streams into the Fabric manufacturing bronze layer
- Fabric silver layer conformed to the ISA-95 work-center hierarchy with named asset, equipment, and component models
- Fabric notebooks scoring vibration, temperature, and current-signature anomalies with documented model governance and drift monitoring
- Dynamics 365 Field Service or resident EAM system receiving the work-order recommendation through a named human-in-the-loop reviewer queue
OEE optimization — availability, performance, quality
Overall equipment effectiveness optimization is the most-funded plant-floor analytics use case in 2026 because the three input ratios — availability, performance, and quality — are the cleanest proxy for plant cash flow. The EPC pattern anchors OEE on the conformed manufacturing-execution-system event model in the Fabric lakehouse, surfaces downtime reason codes through the Power Apps shop-floor shell, and delivers plant-leadership, line-leadership, and shift-leadership dashboards in Power BI with row-level security tied to the site organization model. Copilot grounds on the OEE gold layer for plant-leadership Q-and-A — "why did line three lose seven points last shift" answered with named-evidence citation.
Microsoft surfaces in scope
- Conformed MES event model in the Fabric manufacturing silver layer — production order, downtime event, defect event, changeover event
- Power Apps shop-floor shell for downtime reason coding, defect capture, and changeover checklists with offline support
- Power BI plant-leadership, line-leadership, and shift-leadership OEE dashboards anchored on the gold layer with site-organization row-level security
- Microsoft 365 Copilot grounded on the OEE gold layer behind a Purview sensitivity label for plant-leadership Q-and-A and root-cause acceleration
Shop-floor connectivity — OPC UA, MQTT, Sparkplug B
Shop-floor connectivity in 2026 is no longer a custom industrial-PC build — it is an Azure-Arc-enabled Kubernetes edge runtime that hosts Azure IoT Operations and brokers OPC UA, MQTT, and Sparkplug B traffic between the control-systems layer and the cloud-data-plane layer. The EPC pattern stands up the Arc-enabled edge cluster at the plant, configures the OPC UA broker with a named tag taxonomy mapped to the ISA-95 work-center hierarchy, and routes the telemetry through the Azure IoT Operations message broker into the Fabric manufacturing lakehouse. Local store-and-forward on the edge cluster survives wide-area-network outages without losing a single event.
Microsoft surfaces in scope
- Azure Arc-enabled Kubernetes edge cluster at the plant hosting Azure IoT Operations with local store-and-forward through the WAN-outage window
- OPC UA, MQTT, and Sparkplug B broker configuration with a named tag taxonomy mapped to the ISA-95 work-center hierarchy
- Azure Event Grid and Event Hubs landing the conformed event stream into the Fabric manufacturing bronze layer through the message broker
- Defender for IoT operational-technology monitoring of every edge gateway and every protocol broker — east-west OT-network anomaly detection included
Quality inspection AI — Computer Vision + Azure OpenAI
Quality inspection AI fuses Azure AI Vision (formerly Computer Vision) with Azure OpenAI to deliver named-defect detection on the line — surface defects, missing components, mis-orientation, and labeling errors — at frame rates the human inspector cannot match. The EPC pattern trains the named-defect model against a curated, labeled image corpus, deploys the model as an Azure AI Foundry container to the Azure Arc edge runtime at the plant, and routes the high-confidence defect call into the Dynamics 365 Supply Chain Management quality-management non-conformance flow. Azure OpenAI summarizes the defect-cluster pattern for the quality-leadership Q-and-A surface. Model governance, drift monitoring, and Sentinel audit retention apply end-to-end.
Microsoft surfaces in scope
- Azure AI Vision named-defect detection model trained on a curated, labeled image corpus with documented training-data lineage
- Azure AI Foundry container deployment to the Azure Arc edge runtime at the plant with local inference and low-latency frame processing
- Dynamics 365 SCM quality-management non-conformance flow receiving the high-confidence defect call with a named human-in-the-loop disposition step
- Azure OpenAI defect-cluster summarization for the Power BI quality-leadership dashboard and the Copilot quality-leadership Q-and-A surface
Supplier collaboration — orderbook, deviation, attestation
Supplier collaboration spans purchase-order acknowledgment, advance-shipment-notice exchange, deviation handling, quality attestation, and Scope 3 emissions data exchange. The Microsoft Cloud for Manufacturing pattern anchors supplier collaboration on a Power Pages portal that federates supplier identity through Microsoft Entra External ID, exchanges purchase-order and advance-shipment-notice events through Dynamics 365 Intelligent Order Management, and runs Power Automate flows for deviation handling and quality attestation. Microsoft Cloud for Sustainability extends the same portal with the Scope 3 emissions exchange so the supplier sees one front door, not three.
Microsoft surfaces in scope
- Power Pages supplier portal with Microsoft Entra External ID federation and supplier-attestation workflow
- Dynamics 365 Intelligent Order Management exchanging purchase-order acknowledgment, advance-shipment-notice, and deviation events
- Power Automate flows for deviation handling, quality attestation, and supplier scorecard maintenance
- Microsoft Cloud for Sustainability Scope 3 emissions data exchange on the same supplier portal — single front door
Sustainability reporting — CSRD, ESRS, SEC climate
Sustainability reporting in 2026 is the highest-stakes disclosure load most manufacturers have ever carried — the EU Corporate Sustainability Reporting Directive (CSRD) phased into effect for in-scope EU and non-EU manufacturers, the US Securities and Exchange Commission climate disclosure rule sitting alongside it, and the Carbon Border Adjustment Mechanism (CBAM) escalating from reporting to financial obligation. Microsoft Cloud for Sustainability anchors the conformed emissions model in the Fabric manufacturing lakehouse, generates the audit-ready disclosure file with the documented assurance package, and publishes the supplier-attestation evidence the third-party assurance provider needs to issue an opinion.
Microsoft surfaces in scope
- Conformed Scope 1, Scope 2, and Scope 3 emissions model in the Fabric manufacturing gold layer with named methodology citation per category
- Audit-ready CSRD and ESRS disclosure file generation, US SEC climate rule disclosure, TCFD-aligned narrative, and CBAM submission file
- Supplier-attestation evidence package routed through the supplier portal — Scope 3 Category 1 (Purchased Goods and Services) and Category 4 (Upstream Transportation)
- Microsoft Sentinel audit-log retention of every emissions calculation invocation, every disclosure-file generation, and every supplier attestation — seven-year retention
IoT Integration — Azure IoT Hub, IoT Central, IoT Edge, Defender for IoT
Microsoft Cloud for Manufacturing rides on the Azure IoT family — Azure IoT Hub for cloud-side message brokering, Azure IoT Central for connected-product application platform, Azure IoT Edge plus Azure IoT Operations for the Azure-Arc-enabled Kubernetes edge runtime at the plant, and Microsoft Defender for IoT for passive operational-technology network monitoring. Each service has a named role in the architecture, and the deployment plan names which services are in scope before the first edge cluster lands. Deeper coverage of Azure Arc multi-cloud and hybrid patterns lives at the Azure Arc Hybrid + Multi-Cloud Enterprise hub.
Azure IoT Hub
Azure IoT Hub remains the cloud-side message broker for device-to-cloud and cloud-to-device traffic where device-identity, device-twin, and direct-method semantics are the unit of integration. In the Microsoft Cloud for Manufacturing pattern, IoT Hub sits behind Azure IoT Operations as the cloud landing zone for the conformed telemetry stream that the edge runtime publishes north-bound.
Azure IoT Central
Azure IoT Central is the managed application-platform layer that accelerates connected-product and connected-asset scenarios on top of IoT Hub. For manufacturers whose product portfolio includes connected equipment shipped to customers, IoT Central is the fastest path to a managed customer-facing connected-product application — with Dynamics 365 Field Service integration as the named service-event surface.
Azure IoT Edge + Azure IoT Operations
Azure IoT Edge and Azure IoT Operations form the Azure-Arc-enabled Kubernetes edge runtime that brokers OPC UA, MQTT, and Sparkplug B traffic between the control-systems layer and the cloud-data-plane layer at the plant. Local store-and-forward survives WAN outages without event loss. IoT Operations is the strategic successor architecture for greenfield plant deployments in 2026.
Microsoft Defender for IoT
Microsoft Defender for IoT delivers passive operational-technology network monitoring, east-west OT-network anomaly detection, and the ISA/IEC 62443 (ISA-99) zone-and-conduit visibility the operational-technology security team needs to defend the plant. Defender for IoT integrates with Microsoft Sentinel for cross-domain correlation across IT and OT signal — incident ticketing routes through one console.
ERP Integration — Dynamics 365 SCM + F&O, SAP S/4HANA, and OT/IT Convergence
The enterprise resource planning anchor is the gravity well for the conformed master-data and transaction model in Microsoft Cloud for Manufacturing. Some manufacturers run Dynamics 365 Supply Chain Management and Finance and Operations as the strategic ERP; others run SAP S/4HANA, Oracle, or Infor and intend to keep that estate for the next five years. The Microsoft Cloud for Manufacturing pattern accommodates both — through native Dataverse integration where Dynamics 365 SCM and F&O is the ERP, and through the Microsoft Fabric SAP mirror or a Fabric data-engineering ingestion where the ERP is SAP, Oracle, or Infor. The OT/IT boundary is the architectural fact that governs every connector placement. Deeper Dynamics 365 coverage lives at the Microsoft Dynamics 365 Implementation Enterprise hub.
Dynamics 365 Supply Chain Management + Finance and Operations
Dynamics 365 SCM and F&O on Dataverse are the strategic Microsoft-native ERP anchor for Microsoft Cloud for Manufacturing — the production-order model, batch and serial attributes, inventory and warehouse management, general ledger, fixed-asset book, and cost-accounting model live here and emit a conformed event stream the Fabric manufacturing medallion architecture consumes.
SAP S/4HANA coexistence via Microsoft Fabric mirror
For manufacturers whose SAP S/4HANA estate is the strategic ERP for the next five years, the Microsoft Cloud for Manufacturing pattern is a Microsoft Fabric mirror — the Fabric SAP mirror exposes the conformed SAP table set as a near-real-time, read-optimized OneLake surface that downstream Microsoft analytics and AI surfaces consume without re-platforming the SAP system of record. The SAP S/4HANA Embedded Analytics and the SAP RISE landing zone remain inside SAP — Fabric mirror is the consumption layer.
OT/IT convergence under ISA-95 and ISA-99
OT/IT convergence is the architectural decision that the manufacturing-execution-system layer at ISA-95 Level 3 and the control-systems layer at ISA-95 Level 2 and below remain inside the operational-technology security boundary, while the enterprise-resource-planning layer at ISA-95 Level 4 and the analytics-and-AI layer at the cloud level live inside the information-technology security boundary — and the conformed event stream crosses the boundary through one named broker, with Defender for IoT watching the conduit. ISA/IEC 62443 (ISA-99) zone-and-conduit segmentation is the governing reference.
Oracle, Infor, and legacy ERP coexistence
For manufacturers running Oracle EBS, Oracle Fusion Cloud, Infor LN or M3, or a legacy AS/400 or JD Edwards estate, the Microsoft Cloud for Manufacturing pattern is a Fabric data-engineering ingestion that lands the named transaction tables into the bronze layer, conforms at the silver layer against the ISA-95 hierarchy, and publishes the gold-layer manufacturing semantic model. The legacy ERP remains the system of record — Fabric is the consumption and AI-grounding layer.
AI Quality Inspection — Azure AI Vision + Azure OpenAI on the Edge
AI quality inspection is the most-funded AI use case on the plant floor in 2026 — and the only one that reliably underwrites a single-plant business case in months, not years. The EPC pattern fuses Azure AI Vision (named-defect detection) with Azure OpenAI (defect-cluster summarization), deploys the model as an Azure AI Foundry container to the Azure Arc edge runtime at the plant for low-latency line-speed inference, and routes the high-confidence defect call into the Dynamics 365 Supply Chain Management quality-management non-conformance flow. The five named stages below carry the engagement end-to-end. Deeper Fabric real-time intelligence coverage lives at the Microsoft Fabric Real-Time Intelligence Enterprise hub.
1. Data acquisition and labeling
A curated, labeled image corpus is the precondition for any named-defect-detection model. The EPC pattern names the image-acquisition camera, the line position, the lighting envelope, and the labeling-vendor workflow. Azure AI Foundry data labeling or a named third-party labeling partner provides the labeled corpus with documented training-data lineage.
2. Model training in Azure AI Foundry
Named-defect-detection models train in Azure AI Foundry against the labeled corpus. Documented model governance covers intended use, training-data lineage, validation cohort, accuracy and precision metrics, drift-monitoring approach, and the human-in-the-loop reviewer queue.
3. Edge deployment with Azure IoT Operations
The trained model deploys as a container to the Azure Arc edge runtime at the plant alongside Azure IoT Operations. Local inference delivers the low-latency frame processing the line requires. Model updates flow through the Azure Arc GitOps configuration channel with documented change control.
4. Quality non-conformance flow in Dynamics 365 SCM
High-confidence defect calls route into the Dynamics 365 Supply Chain Management quality-management non-conformance flow through a named human-in-the-loop disposition step — accept, rework, scrap, supplier deviation. The non-conformance flow is the named audit-evidence record.
5. Azure OpenAI cluster summarization and Copilot Q-and-A
Azure OpenAI summarizes the defect-cluster pattern by product, line, shift, and supplier lot — surfacing the named-evidence cluster to the quality-leadership Power BI dashboard and the Copilot quality-leadership Q-and-A surface. Sensitivity labels, model governance, and Sentinel audit retention apply end-to-end.
EPC Manufacturing Cloud Accelerator — Five Phases, $350K to $1.5M
The EPC Manufacturing Cloud Accelerator is a fixed-scope, fixed-fee, milestone-priced engagement that delivers Microsoft Cloud for Manufacturing end-to-end against the named ERP estate, the named MES vendor, the named control-systems estate, and the named regulatory overlay. Senior-architect-led, no offshore handoff, weekly executive briefing, named regulatory-overlay evidence package at handoff. Pricing $350K (single-plant foundation) to $1.5M (full multi-site deployment) depending on scope. The accelerator runs inside the broader EPC Cloud Orchestrator.
Phase 1: Discovery and architecture
Weeks 1 to 3
Named ERP estate (Dynamics 365 SCM and F&O, SAP S/4HANA, Oracle, Infor, or hybrid), named MES vendor, named control-systems estate, named Microsoft Cloud for Manufacturing components in scope, named OT/IT boundary, and named regulatory overlay documented end-to-end. The phase output is the signed integration architecture document, the ISA-95 hierarchy map, the ISA-99 zone-and-conduit map, and the named regulatory-overlay summary.
Named deliverables
- Microsoft Cloud for Manufacturing component map — Smart Factory Agents, Factory Operations Agent, Connected Factory + Connected Worker, Sustainability, and Dynamics 365 SCM + F&O
- ISA-95 Part 1 hierarchy map (enterprise, site, area, work center, work unit) signed by the operations-and-engineering owner
- ISA-99 zone-and-conduit map signed by the operational-technology security officer with named broker placement and named jump-host pattern
- Regulatory-overlay summary — GxP, FDA 21 CFR Part 11, AS9100, ITAR/EAR, CSRD, SEC climate, FSMA 204 as applicable — mapped to the Purview sensitivity-label taxonomy at kick-off
Phase 2: Foundation build — Azure IoT Operations + Fabric Manufacturing lakehouse
Weeks 4 to 9
Provision the Azure Arc-enabled edge cluster at the first plant. Deploy Azure IoT Operations with the OPC UA, MQTT, and Sparkplug B broker configuration. Stand up the Microsoft Fabric manufacturing lakehouse with the bronze, silver, and gold medallion architecture and the ISA-95 work-center hierarchy at the silver layer. Land the first MES and ERP event stream through the named broker into the bronze layer. Apply the Purview sensitivity-label taxonomy at OneLake.
Named deliverables
- Azure Arc-enabled Kubernetes edge cluster live at the first plant with Azure IoT Operations and the OPC UA, MQTT, and Sparkplug B broker tested end-to-end
- Fabric manufacturing lakehouse live with bronze, silver, and gold layers and ISA-95 work-center hierarchy conformed at silver
- First MES and ERP event stream landed in bronze, conformed at silver, and published at gold against the first plant
- Purview sensitivity-label taxonomy applied at OneLake and propagated to first Power BI dataset, plus Microsoft Sentinel pipeline configured for OT and IT signal with seven-year retention
Phase 3: Plant operations layer — Factory Operations Agent + Connected Worker + Power Apps shop-floor
Weeks 10 to 16
Stand up the Factory Operations Agent against the conformed Fabric manufacturing gold layer. Deploy the Power Apps shop-floor shell for downtime reason coding, defect capture, and changeover checklists with offline support. Configure Connected Worker on Microsoft 365 with digital standard operating procedures, Teams Walkie Talkie, and Viva Connections briefings. Wire the Defender for IoT zone map and the Microsoft Sentinel detection rule set.
Named deliverables
- Factory Operations Agent live against the conformed manufacturing gold layer — OEE, schedule attainment, first-pass yield, and MTBF surfaces wired
- Power Apps shop-floor shell live on the first line with offline-capable downtime reason coding, defect capture, and changeover checklists
- Connected Worker live on Microsoft 365 with digital standard operating procedures, Teams Walkie Talkie, and Viva Connections briefings on ruggedized device pattern
- Defender for IoT zone map signed by the operational-technology security officer and Microsoft Sentinel detection rule set live across OT and IT signal
Phase 4: AI surface — Smart Factory Agents + quality inspection + predictive maintenance
Weeks 17 to 22
Stand up Microsoft 365 Copilot grounding on the manufacturing gold layer behind a Purview sensitivity label. Deploy named Smart Factory Agents for plant-floor Q-and-A with named guardrails. Deploy Fabric notebooks for predictive maintenance scoring and the Azure AI Vision named-defect-detection model on the Azure Arc edge runtime. Wire the Dynamics 365 SCM quality-management non-conformance flow into the AI surface.
Named deliverables
- Microsoft 365 Copilot grounding catalog signed with named sensitivity label per item, named owner per item, and documented re-identification risk for cross-supplier datasets
- Smart Factory Agents live with named guardrails (read-only across the ISA-95 Level 3 boundary), named escalation triggers, and named transcript-retention pipeline into Sentinel
- Fabric predictive-maintenance notebooks live with documented model governance, drift monitoring, and human-in-the-loop reviewer queue routing into Dynamics 365 Field Service or resident EAM
- Azure AI Vision named-defect-detection model live on the Azure Arc edge runtime with low-latency frame processing and Dynamics 365 SCM quality-management non-conformance flow integration
Phase 5: Multi-site rollout, audit-readiness, and operational handoff
Weeks 23 to 30
Replicate the Phase 2-through-4 pattern across the named additional plants. Stand up the Microsoft Cloud for Sustainability emissions model and the CSRD or SEC climate disclosure-file generation. Sign the AS9100, GxP, FDA 21 CFR Part 11, or ITAR/EAR audit-readiness package as applicable. Operational handoff to the EPC managed-services bench or to the client operating model with named hypercare window.
Named deliverables
- Multi-site rollout playbook executed across the named additional plants with named go-live dates and named site-lead acceptance
- Microsoft Cloud for Sustainability emissions model live with the audit-ready CSRD, ESRS, SEC climate, TCFD, and CBAM disclosure-file generation as applicable
- AS9100, GxP, FDA 21 CFR Part 11, or ITAR/EAR audit-readiness binder signed by the responsible quality and operational-technology security owners
- Operational handoff document covering Run, Watch, Change, and Improve cadences across the Microsoft Cloud for Manufacturing stack, plus hypercare window with named owner and named exit criteria
Industry Standards — ISA-95, ISA/IEC 62443 (ISA-99), MES Integration
Microsoft Cloud for Manufacturing rides on top of two foundational industrial-standards bodies — the ISA-95 enterprise-control system integration standard and the ISA/IEC 62443 (ISA-99) industrial cybersecurity standard — and one practical-integration discipline, MES vendor coexistence. Together these four standards layers govern the OT/IT boundary, the asset hierarchy, the conformed event taxonomy, and the named broker placement. Plant-floor governance lives or dies on getting these layers right at the architecture phase. Governance coverage extends through the Digital Transformation on Microsoft Enterprise 2026 hub.
ISA-95 — enterprise-control system integration
- ISA-95 Part 1 hierarchy (enterprise, site, area, work center, work unit) is the conformed asset and event taxonomy at the Fabric silver layer
- ISA-95 Part 2 object models map to the Dynamics 365 Supply Chain Management production-order, material-lot, and equipment models
- ISA-95 Part 3 activity models map to the manufacturing-execution-system event stream that crosses the OT/IT boundary into Fabric
ISA/IEC 62443 (ISA-99) — industrial cybersecurity
- Zone-and-conduit segmentation is the governing reference for OT/IT boundary placement — the conformed event stream crosses one named broker, never an ad hoc tunnel
- Microsoft Defender for IoT delivers passive OT-network monitoring, east-west anomaly detection, and ISA-99 zone visibility — feeding Microsoft Sentinel for cross-domain correlation
- Network-layer enforcement uses Azure Arc-enabled Kubernetes admission policies, Azure Firewall Premium, and named jump-host pattern for any human access into the OT zone
MES integration — Rockwell, Siemens, GE, Aveva, MEDITECH-style coexistence
- MES vendor (Rockwell FactoryTalk, Siemens Opcenter, GE Proficy, Aveva MES, or in-house MES) remains the ISA-95 Level 3 system of record for production execution
- The conformed event stream from the MES into Fabric crosses one named broker — Azure IoT Operations message broker at the edge or Azure Event Hubs in the cloud
- Round-trip work-order acknowledgment, completion confirmation, and quality non-conformance flow back to the MES through the same broker — never through ad hoc database direct-write
GxP, FDA 21 CFR Part 11, and regulated-manufacturing overlays
- Regulated manufacturers — pharmaceutical, medical device, food and beverage, aerospace — overlay GxP, FDA 21 CFR Part 11, ISO 13485, AS9100, or FSMA 204 on the Microsoft Cloud for Manufacturing baseline
- Electronic-record and electronic-signature evidence routes into Microsoft Sentinel under immutable storage with a documented legal-hold workflow
- Computer-system validation evidence package is generated for every Microsoft Cloud for Manufacturing component in scope and signed by the responsible quality unit
1. Purview sensitivity-label taxonomy for the manufacturing boundary
A manufacturing-specific Purview taxonomy spans Plant-Floor-Telemetry, Product-Genealogy-Confidential, Trade-Secret-Process, Supplier-Confidential, Export-Controlled (ITAR/EAR), Business-Confidential, and Public. Labels apply at the OneLake storage layer in Fabric Manufacturing and propagate automatically to every Power BI dataset, SharePoint library, Dataverse table in Dynamics 365 SCM and F&O, and Copilot grounding surface. Export-Controlled is the most restrictive label — the grounding catalog never crosses an Export-Controlled label into a Copilot surface that a non-cleared user can reach.
2. Copilot grounding catalog with documented re-identification risk
Copilot is never grounded directly on raw plant-floor telemetry or raw product genealogy. The grounding catalog enumerates every SharePoint library, Power BI dataset, Fabric manufacturing gold-layer table, and Dataverse table that Copilot may ground on, with the named sensitivity label and named owner per item. The de-identification approach for any cross-supplier dataset is documented with residual re-identification risk and approved by the operational-technology security officer before general availability.
3. Copilot Studio plant agent guardrails — read-only across the OT boundary
Copilot Studio plant agents for production Q-and-A, downtime root-cause acceleration, and quality-leadership summarization are scoped through declarative guardrails — allowed topics, disallowed topics, control-loop safety disclosure, escalation-to-human triggers, and transcript retention into Sentinel for seven years. The agent runtime is read-only across the ISA-95 Level 3 boundary and never writes to programmable-logic-controller or distributed-control-system registers.
4. Sentinel audit trail with seven-year retention
Every audit log across the Microsoft Cloud for Manufacturing surface — Azure IoT Operations broker logs, Defender for IoT alerts, OneLake access logs, Power BI activity logs, Dynamics 365 SCM and F&O audit logs, Teams audit logs, Purview audit logs, and Copilot interaction logs — pipes into Sentinel under immutable storage with a default seven-year retention window and documented legal-hold workflow.
5. Quarterly governance review with documented evidence package
A quarterly governance review covers the sensitivity-label taxonomy, Copilot grounding catalog, plant-agent guardrails, Sentinel detection rule set, Defender for IoT zone map, and any documented exceptions. The evidence package is signed by the operational-technology security officer, the manufacturing IT director, and the EPC engagement principal — stored in immutable storage, ready for the next ISA-99 assessment, the next AS9100 surveillance audit, or the next CSRD assurance engagement.
EPC Credential Stack
11,000+
Microsoft engagements delivered
500+
Microsoft Fabric implementations
1,500+
Power BI enterprise deployments
29 years
Microsoft consulting delivery since 1997
Microsoft Solutions Partner — six designations
Data & AI (Azure), Digital & App Innovation (Azure), Infrastructure (Azure), Modern Work, Security, and Business Applications — the six designations that anchor the manufacturing practice across the entire Microsoft Cloud for Manufacturing stack.
Industrial-and-manufacturing practice
Active engagements across discrete manufacturing, process manufacturing, engineer-to-order, aerospace and defense, and industrial construction — under shop-floor security boundaries that respect ISA-95 and ISA/IEC 62443 (ISA-99) zone segmentation.
4× Microsoft Press bestselling author
Errin O'Connor is the original Microsoft Power BI Project Crescent and SharePoint Project Tahoe beta-team member, with four Microsoft Press titles in print covering Power BI, SharePoint, Azure, and large-scale Microsoft migrations.
Compliance coverage
HIPAA, SOC 2, FedRAMP, FINRA, CMMC, GxP — with ISA-95, ISA/IEC 62443 (ISA-99), AS9100, GxP, FDA 21 CFR Part 11, ITAR/EAR, CSRD, ESRS, and SEC climate disclosure mapped to the Purview taxonomy at kick-off.
The manufacturing practice runs inside the broader The EPC Group Lifecycle — see also the EPC Cloud Orchestrator, Microsoft Cloud for Healthcare, Microsoft Cloud for Financial Services, Microsoft Fabric Real-Time Intelligence, Microsoft Dynamics 365 Implementation, Azure Arc Hybrid + Multi-Cloud, and Digital Transformation on Microsoft Enterprise 2026.
EPC Group operates an industrial-and-manufacturing Microsoft practice with active engagements spanning discrete manufacturing, process manufacturing, engineer-to-order, aerospace and defense, and industrial-construction enterprises — deploying Microsoft Cloud for Manufacturing across Azure, Microsoft Fabric, Dynamics 365 Supply Chain Management, Dynamics 365 Finance and Operations, Microsoft 365 Copilot, and the Power Platform under shop-floor security boundaries that respect ISA-95 and ISA/IEC 62443 (ISA-99) zone segmentation.
Frequently Asked Questions
How does Microsoft Cloud for Manufacturing handle the OT/IT convergence problem — does Copilot ever reach into the control loop?
No — and that boundary is the governing architectural decision. The Microsoft Cloud for Manufacturing pattern places the manufacturing-execution-system layer at ISA-95 Level 3 and everything below (programmable logic controllers, distributed control systems, SCADA historians) inside the operational-technology security boundary. Copilot, Smart Factory Agents, and the Factory Operations Agent are read-only across that boundary. The conformed event stream crosses one named broker — Azure IoT Operations at the edge or Azure Event Hubs in the cloud — with Microsoft Defender for IoT watching the conduit for ISA/IEC 62443 (ISA-99) zone violations. Copilot Studio plant-agent guardrails are declarative and enforce the read-only contract at the agent-runtime layer. Any control-loop write — work-order acknowledgment, set-point change, recipe download — flows back through the MES or the ERP, never directly from the AI surface.
How do we integrate SCADA historians (OSIsoft PI, Aveva PI System, GE Proficy Historian, AspenTech IP.21) into the Fabric manufacturing lakehouse?
Through the Azure IoT Operations broker at the edge or through a dedicated Fabric data-engineering ingestion. The pattern depends on whether the historian sits inside the OT zone (broker pattern preferred, with Defender for IoT watching the conduit) or in a DMZ-tier IT zone where an ingestion connector can reach it directly. For OSIsoft / Aveva PI System, the PI Integrator for Microsoft Azure or the PI Web API behind Azure IoT Operations is the sanctioned pattern. For GE Proficy Historian and AspenTech IP.21, the OPC UA broker or the vendor REST API behind Azure IoT Operations carries the conformed tag stream into the Fabric bronze layer. The ISA-95 work-center hierarchy at the silver layer is the conformed taxonomy regardless of historian vendor.
We are running a legacy GE Predix or PTC ThingWorx deployment. What is the Microsoft Cloud for Manufacturing migration path?
GE Predix sunsetting and the strategic migration to Azure IoT Operations is the most common conversation EPC Group has with industrial-equipment manufacturers in 2026. The migration pattern is to stand up the Azure Arc-enabled edge cluster with Azure IoT Operations alongside the existing Predix or ThingWorx footprint, re-point the OPC UA, MQTT, and Sparkplug B tag streams to the new broker on a plant-by-plant cadence, conform the asset hierarchy into the Fabric manufacturing silver layer against ISA-95 Part 1, and retire the legacy Industrial IoT platform after the last plant migrates. For ThingWorx, the same pattern applies — the EPC Manufacturing Cloud Accelerator scopes the migration on a per-plant basis with documented runbook, named cutover window, and named regression-test plan.
How does Microsoft Cloud for Manufacturing coexist with an existing SAP S/4HANA estate that we are not replacing?
Through the Microsoft Fabric SAP mirror. The Fabric SAP mirror exposes the conformed SAP S/4HANA table set as a near-real-time, read-optimized OneLake surface that downstream Microsoft analytics, AI, and Copilot grounding surfaces consume without re-platforming the SAP system of record. SAP S/4HANA Embedded Analytics and the SAP RISE landing zone remain inside SAP and remain the system of record for transactional processing. Microsoft Cloud for Manufacturing components (Smart Factory Agents, Factory Operations Agent, Connected Factory, Sustainability) ground on the Fabric mirror — never against the SAP transactional layer directly. The pattern preserves the SAP investment while delivering the Microsoft AI and analytics layer at full fidelity.
What is the realistic return-on-investment for predictive maintenance on Microsoft Cloud for Manufacturing — and how long until it shows up?
Predictive maintenance return-on-investment shows up in three buckets — avoided unplanned downtime, reduced spare-parts inventory, and labor productivity from work-order optimization. On the EPC Manufacturing Cloud Accelerator pattern, the first measurable signal appears at Week 18 to 22 once the Fabric notebooks ship the first scored asset-health subset into Dynamics 365 Field Service or the resident enterprise-asset-management system. The first full-quarter financial signal lands in months four through six post-go-live, with avoided-unplanned-downtime in the 8 to 18 percent range against the asset class baseline being the most reliably measurable lever in our portfolio. The other two buckets follow on a longer cadence — spare-parts inventory reduction in months nine through fifteen, labor productivity in year two.
How does Microsoft Cloud for Sustainability handle CSRD and the EU Corporate Sustainability Reporting Directive for non-EU manufacturers?
For non-EU manufacturers whose EU revenue or EU-subsidiary footprint brings them into CSRD scope, Microsoft Cloud for Sustainability anchors the conformed Scope 1, Scope 2, and Scope 3 emissions model in the Fabric manufacturing lakehouse, generates the European Sustainability Reporting Standards (ESRS) disclosure file with the documented assurance package the third-party assurance provider needs, and publishes the supplier-attestation evidence at the Scope 3 Category 1 (Purchased Goods and Services) and Category 4 (Upstream Transportation) granularity that the standard requires. The Power Pages supplier portal carries the consented Scope 3 data exchange. The audit-ready file is timestamp-locked, sensitivity-labeled, and Sentinel-logged with seven-year retention.
Why deploy named-defect-detection at the Azure Arc edge instead of in the cloud — what changes operationally?
Two reasons — latency and bandwidth. Quality inspection on a high-speed line cannot wait for a cloud round-trip; named-defect-detection at line speed requires sub-100-millisecond inference and frame-rate-matching throughput that only an on-plant edge runtime can deliver. Bandwidth is the second constraint — moving the raw image stream off the plant to the cloud is expensive and unnecessary when only the named-defect call and the cluster summary need to leave the plant. The EPC pattern trains the model in Azure AI Foundry, deploys the container to the Azure Arc edge runtime alongside Azure IoT Operations, runs inference at the line, and ships only the structured defect call and the periodic cluster-summary record north-bound. Model updates flow through the Azure Arc GitOps configuration channel with documented change control — same operational discipline as any other Kubernetes workload on the plant cluster.
What does the EPC Manufacturing Cloud Accelerator cost and how long does it run?
The EPC Manufacturing Cloud Accelerator is a fixed-scope, fixed-fee, milestone-priced engagement scoped at 120, 180, or 240 days depending on the number of Microsoft Cloud for Manufacturing components in scope and the number of plants in the multi-site rollout. Pricing ranges from $350,000 (single-plant foundation — Azure IoT Operations plus Fabric manufacturing lakehouse against one MES and one ERP source) to $1,500,000 (full five-phase deployment across Azure IoT Operations, Fabric Manufacturing, Factory Operations Agent, Connected Factory and Connected Worker, Smart Factory Agents, quality-inspection AI, and Sustainability — multi-site). Each phase is priced individually so the client controls the spend gate at every boundary. Senior-architect-led, no offshore handoff, weekly executive briefing, named regulatory-overlay evidence at handoff.
Talk to an EPC Manufacturing Cloud Architect
A 60-minute call with a senior manufacturing Microsoft architect — no sales lead. We will give you an honest scope-fit assessment against the Microsoft Cloud for Manufacturing components in scope, the ERP estate, the MES vendor, the control-systems estate, the OT/IT boundary placement, and the named pricing band for a 120-day, 180-day, or 240-day Manufacturing Cloud Accelerator. If a different firm is a better fit, we will say so.
Errin O'Connor · Founder & CEO · Microsoft Solutions Partner · 4× Microsoft Press bestselling author · 4900 Woodway Drive, Suite 830, Houston, TX 77056