Managed Microsoft 365 — when your workplace should finally help, instead of slowing you down

Microsoft 365 has been introduced at your company — but somehow what everyone promised just isn’t coming out the other end. License costs are rising, nobody knows exactly who uses what, Teams is there, but it feels like everyone is working alongside it in WhatsApp and by email. We are building a clean Microsoft 365 operation for mid-market companies (German Mittelstand), in which every license has a reason, every feature an owner, and daily work gets easier again.

Does this sound familiar?

• You bought E5 two years ago because “the complete package” was promised — today half of it nobody uses, and the renewal is due in a few months.
• Teams is set up, but team leads send Excel files by email because “SharePoint is too complicated”. Sales leadership shares quotes via WhatsApp because it’s faster.
• At the last meeting with the auditor, the question about MFA status came up — and you spent two weeks looking for an honest answer.
• Every new hire takes three days because nobody knows off the top of their head which license, which groups, which device configuration the person needs.
• There are three OneDrive folder structures, four SharePoint sites with unclear permissions, and nobody dares to clean up because no one knows what’s still in use.

Why this happens

Microsoft 365 gets introduced at most Mittelstand companies during a phase when something acute is driving the change — Covid home office, an Exchange server that no longer receives updates, a new site that needs to be connected. The rollout is ordered from the service provider, the tenant is spun up, mailboxes migrate, and at some point “Microsoft 365 is live” is reported. What almost never gets planned at that moment is tenant governance — the question of who is allowed to do what, who manages what, and how that can still be justified in three years.

On top of that, Microsoft’s license world has been getting denser every year. Business Basic, Business Standard, Business Premium, E1, E3, E5, plus add-ons for Copilot, Teams Premium, Defender, Power Apps, Intune Suite. Even people who do this full-time have to look at the license guides regularly. In your company, nobody has the job of watching this weekly — and that’s completely normal.

In parallel, Microsoft pushes new features into the tenant every quarter. Copilot, Loop, Planner Premium, new Defender policies, new Conditional Access templates. If you’re a mid-market company that hasn’t happened to staff an M365 governance role, you simply can’t evaluate this in peace. It piles up until it hurts.

And finally: Mittelstand IT departments are usually staffed with generalists who have to cover a wide stack between network, server, ERP interfaces and endpoints. M365 is one of twenty topics — not a specialty. That’s exactly where we come in.

What this is concretely about

Exchange Online & Teams

What carries most of the visible communication load in your daily work. Clean mailbox structures, sensible distribution-list logic, clear ground rules between mail and Teams. How you notice it doesn’t fit: when the question “Where do I find this?” is regularly answered with “Search your mail history”.

SharePoint & OneDrive

The place where files actually should sit — and which at most companies has grown wild. We bring site structures into a comprehensible shape, sort out permissions, and make the storage usable again. How you notice it: when nobody wants to delete a SharePoint site because no one is sure whether it’s still needed.

Intune & Autopilot (device management)

How notebooks and smartphones arrive in your company, what runs on them, and what happens when they’re lost. Autopilot means: a new device is unpacked, signed in with the company account, and configures itself. How you notice it: when onboarding a new person currently triggers three days of setup work.

Entra ID & Conditional Access (identities + access)

Who is allowed to access what from where — and under what conditions. This is the backbone of any honest M365 security discussion. This is where MFA is really enforced instead of merely recommended, where risk signals are evaluated, where the answer arises that you want to give the auditor. How you notice it: when the question “Does everyone have MFA?” can’t be answered within ten seconds.

Defender for Office / Endpoint

Protection against what actually comes at you every day — phishing mails, infected attachments, compromised endpoints. Defender is included in many licenses, just often not properly configured. How you notice it: when the security discussion ends with “We have a firewall.”

Copilot — when it actually makes sense

We don’t recommend Copilot as a reflex. Before we book the license, we check with you whether SharePoint permissions are clean — otherwise Copilot sees data it shouldn’t see, and suddenly answers the question “How high was management’s bonus?” for every person in the company. Beyond that, we measure beforehand where the benefit really emerges. For some roles (sales, marketing, back office with lots of text work) Copilot is a real lever. For others, it’s expensive jewellery. We tell you honestly which group at your company is which.

License hygiene & tenant governance

What needs to happen continuously after rollout but rarely does: who has which license, why, since when, and do they still need it? Which apps are allowed in the tenant? Who may create new Teams teams? We build a rhythm in which this is reviewed once per quarter, instead of once every three years in panic.

What you should look out for — even if you don’t go with us

• Ask to see the handover documentation BEFORE the project starts, not after. Whoever doesn’t have a template has never handed over cleanly — and you end up with a setup only your service provider understands.
• Ask about the rollback plan. When you enforce Conditional Access or roll out an Intune profile, it can lock people out. Whoever hesitates when asked “What happens if it goes wrong?” doesn’t have a plan.
• Flat-rate offers along the lines of “M365 including support for 39 € per user” usually mean first-level ticket handling. No architecture, no optimization, no license advice. That isn’t bad — but it also isn’t what most companies actually need.
• If someone recommends Copilot without first seeing your data classification and SharePoint permissions — caution. That’s sales, not consulting.
• Ask whether the service provider would also advise against something. Whoever never says no will sell you everything Microsoft is currently pushing. That isn’t in your interest.
• Clarify who administratively controls the tenant. If the global admin only sits with the service provider, you have a concentration risk. That doesn’t have to be the case.

When this is now due

• Growth is stalling because internal tools aren’t growing with you — new staff, new sites, new processes hit limits that nobody can quite name.
• Employees openly complain that “IT is slowing us down” or “nothing goes quickly” — and you sense they’re right.
• The Microsoft license renewal is due in the next 3–9 months, and nobody knows whether the current setup still fits.
• A wave of new staff is coming (apprentices, a new department, a site expansion), and the current onboarding wouldn’t hold up.
• The cyber insurer has sent a questionnaire asking about MFA, Conditional Access and backup status.
• NIS-2 preparation is up because you’re directly affected or have to provide proof as a supplier.
• An audit note has flagged gaps in permissions, logging or data classification.
• A generational change in the IT department — the person who held everything in their head is retiring or changing employers.

How we work

Phase 1 — Initial conversation & assessment

We start with a 30-minute initial call, followed by a structured look into your tenant. We see which licenses are assigned, how identities are built, where permissions sit, what Defender reports. Delivery: an honest assessment as a compact document that management can also read — what’s good, what’s off, what’s urgent, what can wait.

Phase 2 — Architecture plan

Based on the assessment, we work out the target state with you. Which license for which role, which Conditional Access policies, which SharePoint structure, which device lifecycle. Delivery: an architecture plan that is comprehensible, that an external auditor can also read, and that has a clear implementation order.

Phase 3 — Implementation in controlled steps

We roll out changes step by step — each step with a small pilot group, then broadly, always with a rollback path. No big-bang migration with three weeks of risk. Delivery: step by step, a tenant that helps you work instead of keeping you busy.

Phase 4 — Handover & ongoing operations

At the end there is documentation with which, theoretically, someone else could take over — deliberately. We build operations so that you are not dependent on us. Optionally, we accompany ongoing operations: quarterly license and governance review, response to Microsoft changes, shared roadmap. Delivery: a tenant that runs stably in daily work, and a quarterly rhythm in which nothing “rusts over years” anymore.

What you can expect from us — and what not

What you get:

• Direct contact to the founder as your fixed point of contact — no ticket carousel, no rotating account managers.
• Remote response immediately during service hours, with honest communication when something takes longer.
• On-site appointments planned by distance: in Viersen within 24 hours, in neighbouring cities 1–2 working days, further away 3–5 working days.
• Documentation with which, theoretically, someone else could take over from us. That is a quality goal, not an oversight.
• Recommendations that may also work against our own revenue, when it fits for you.

What we deliberately don’t do:

• On-site shuttle support in 30-minute mode. One person can’t be in several cities at the same time, and whoever promises that won’t keep it.
• Big-consultancy PowerPoints without delivery. If at the end of the project nothing runs that wasn’t running before, it wasn’t a project.
• Promises that a 30-person team would have to deliver — which we are not.

Where we also say no:

• If you want to introduce Copilot “because everyone has it” and the benefit can’t be shown — then first clean up the data basis, then we talk again.
• If the honest answer is: “Leave the file server for engineering alone, it runs better locally than in SharePoint.” Cloud is not automatically better.
• If the need doesn’t actually fit a Managed M365 engagement but rather a one-off consulting piece or something completely different.

How it starts

• 30 minutes initial conversation, free of charge, non-binding, by video or phone.
• What we clarify: current state, most urgent pain points, what’s coming up at your company in the next 6–12 months.
• Optionally useful in advance, but not required: rough headcount, Microsoft license packages in use, whether there is already a service provider in the tenant.
• Engagement models are possible as a one-time cleanup project, as ongoing support in a quarterly rhythm, or as a hybrid — what suits you, we clarify in conversation.

Book an initial conversation

Frequently asked questions

Do we have to put everything on Microsoft? No. Microsoft 365 is a platform for communication, collaboration and identity. If your ERP, your CAD application or your industry software runs better locally, it stays local. We build the workplace so that it coexists with what runs at your company.

What happens to our existing licenses? We look at them together. Often the right answer is not “buy everything new”, but “assign existing licenses cleanly, cancel unused ones, fill specific gaps”. First the inventory, then the offer.

Do we really need Copilot? Maybe. Maybe not. We measure that up front — which roles would use it daily, which data would be affected, are SharePoint permissions clean enough. If Copilot doesn’t carry at your company, we say so.

How long does tenant cleanup take? Strongly dependent on size and state. An 80-employee company with moderate sprawl is typically in a substantially better state within 4–8 weeks — a larger organization with several sites and grown permissions accordingly longer. In the initial conversation we give an honest range.

Can we replace you again if it doesn’t fit? Yes, and that’s a design goal. We document so that a handover to another service provider is possible at any time. The tenant belongs to you, the global admin stays with you, and the documentation is yours.

What if we don’t want to go to the cloud at all? Then we talk about what really has to go to the cloud and what doesn’t. Mail in Exchange Online is usually sensible because spam and malware protection runs better on the provider’s side. A CAD construction on a local file server is often best off right there. Cloud is not the goal, but one option among several.

Related topics

• Use Case: Cleaning up an M365 tenant — grown over years, without disrupting operations
• Knowledge (German): What does Managed Microsoft 365 for 50 employees cost?
• Knowledge (German): Microsoft 365 vs. Google Workspace in the Mittelstand

Looking more for Cloud Operations instead? Services overview