How do we go from “Zero” to “Hero” with Microsoft 365?
Or, in what order should we tackle our Microsoft 365 projects & adoption? This is a question that comes up a lot. Microsoft 365 is a huge product on its own, to say nothing of the ever-expanding marketplace to which it is tied. With the year winding down and the holidays just around the corner, I thought this would be a good opportunity to put a quick summary together.
So, you’ve made the move (or the decision to move) to Microsoft 365. What’s next?
Microsoft Entra ID & Identity Protection
Whenever I begin a new engagement, I start with identity. There are two major items and a couple of minor items that you will want to mind.
The first is to establish your Conditional Access policies, and enforce Multi-factor authentication. Among other things, this means choosing your authentication methods and preparing users for the change.
The second major thing (which is still overlooked in many organizations) is taking an inventory of all your other SaaS applications, and then configuring those apps for Single Sign-On with Microsoft Entra. This way you can extend all the hard work that you already did for your Microsoft apps to all of your other apps and eliminate managing multiple logins in the process.
There are also some other bits and bytes worth shoring up in the Entra portal, all covered in my Best Practices kit.
Microsoft Intune and Defender
Onboarding devices is still a critical step, in my opinion. There are still a few stragglers out there who will claim that this step is unnecessary, or a distraction. Or only needed in high-risk, high-compliance environments. I disagree. Knowing which devices are inside and outside the corporate fence is a big part of how you ensure a good security posture; this becomes the basis for enhancing your Conditional Access strategy with device-based access policies.
For example, onboarding devices to both Intune and Defender EDR will allow you to bar access to risky devices.
Data Protection and Governance
I think data migration is finally becoming better understood, but if you are stuck, I’ve got you covered with courses and written materials. Most Service Providers will stop there, but some of the most underserviced work (being left on the table by MSPs today) is helping small and mid-sized organizations become better stewards of their data once it is relocated to the cloud.
This includes stuff like implementing sensitivity labels, retention policies, data loss prevention, monitoring and protecting cloud applications, and more.
End User Training and Enablement
Microsoft 365 represents a massive paradigm shift, and the universe has only expanded with complimentary products like Copilot and Power Platform. Unfortunately, many organizations are still treating Microsoft 365 as though it were merely the latest version of Office, similar to the update from 2010 to 2013 or 2016.
Therefore, another great opportunity for Service Providers is to cultivate superusers or champions within their client base. This can mean relearning old apps, learning new ones, adding automation to a business process, flying with a copilot, and more.
Unfortunately, many Managed Services Providers are in the same place as their customers, living in the past. So, you will need to start at home, and build these muscles internally, first. If you want to see some examples of how to level up your skills with Modern Work “Workouts” check out my friend Darrell Webster over at Modern Work Mentor; I absolutely love the work he is doing over there!
Conclusion
When it comes to Microsoft 365, the order I just laid out is roughly the path I would have my own customers take. It begins with securing identity and devices (which has long been a function of Service Providers), but ultimately it extends down to the data and applications that end users interact with daily.
It is easy for an MSP to focus too much on the former and never adequately address the latter. This is a mistake in my view, because identity & device protection are commodities that everyone can do more or less the same. These services do not, in themselves, add any value to a business. It’s just the plumbing—a necessary utility bill that everyone needs to pay these days.
However, when you start working more closely with an organization’s data and applications, this takes a certain amount of customization and finesse. Plus, you start to move the “value needle” for your customers. This is no small thing. It is the differentiator between whether you will remain a mere commodity (a volume-based business) or whether you become a close technology ally—a partner in your customers’ business journey.
My advice to Service Providers is to continue laying a good secure foundation with a focus on identities and devices, as we always have. But do try to go further than that. You’ll be glad you did.
Comments (2)
Hi Alex,
I’ve been in IT since 1983 and since I agree with almost everything you send out, I would like to get your opinion on the Microsoft365DSC (Desired State Configuration) and using it to create templates that can be used to compare with other current customer’s O365 environments or used to configure the environment for new and current O365 environments. Also a more specific question: I’ve used it to transfer Teams Phone settings from Tenant to Tenant for a small environment. Have you seen this tool used to transfer these types of settings during Tenant to Tenant migrations? Any drawbacks, issues, or tips in this area are welcomed.
Excellent advice Alex! In our learning by doing experience as we modernize our IT, we have landed on exactly this order. The biggest challenge I see ahead is that our staff want and expect to keep all their data forever. This is not an option, not least due to the cost to store and manage the data, so I do wonder how we start the culture change and give staff tools to evaluate what they actually need to keep – all without staff spending too much time sorting through old stuff!