Microsoft 365 has been rolled out at your company — but somehow it isn’t delivering what everyone promised. License costs keep rising, nobody knows exactly who uses what, Teams is there, but it feels like everyone works around it in WhatsApp and email. We build a clean Microsoft 365 operation for mid-market companies (the German Mittelstand), where every license has a reason, every feature has an owner, and daily work gets easier again.
Does this sound familiar?
- You bought E5 two years ago because you were promised “the complete package” — today half of it goes unused, and the renewal is due in a few months.
- Teams is set up, but team leads send Excel files by email because “SharePoint is too complicated”. Sales leadership shares quotes via WhatsApp because it’s faster.
- At the last meeting with your auditor, the question about MFA status came up — and it took you two weeks to find an honest answer.
- Every new hire takes three days to set up because nobody knows off the top of their head which license, which groups, which device configuration the person needs.
- There are three OneDrive folder structures, four SharePoint sites with unclear permissions, and nobody dares to clean up because no one knows what’s still in use.
Why this happens
At most mid-market companies, Microsoft 365 gets introduced during a phase when something acute is driving the change — Covid home office, an Exchange server that no longer receives updates, a new site that needs to be connected. The rollout is ordered from a service provider, the tenant is spun up, mailboxes are migrated, and at some point “Microsoft 365 is live” gets reported. What almost never gets planned in that moment is tenant governance — the question of who is allowed to do what, who manages what, and how that can still be justified three years later.
On top of that, Microsoft’s licensing world has been getting denser every year. Business Basic, Business Standard, Business Premium, E1, E3, E5, plus add-ons for Copilot, Teams Premium, Defender, Power Apps, Intune Suite. Even people who do this for a living have to check the license guides regularly. In your company, nobody has the job of watching this weekly — and that’s completely normal.
In parallel, Microsoft pushes new features into the tenant every quarter. Copilot, Loop, Planner Premium, new Defender policies, new Conditional Access templates. A mid-market company that doesn’t happen to have a dedicated M365 governance role simply can’t evaluate all of that properly. It sits untouched until it hurts.
And finally: mid-market IT departments are usually staffed with generalists who have to cover a wide stack spanning network, servers, ERP interfaces and endpoints. M365 is one of twenty topics — not a specialty. That’s exactly where we come in.
What’s actually involved
Exchange Online & Teams
What carries most of the visible communication load in your daily work. Clean mailbox structures, sensible distribution-list logic, clear ground rules between email and Teams. How you’ll know it’s not working: when the question “Where do I find this?” is regularly answered with “Search your mail history”.
SharePoint & OneDrive
The place where files should actually live — and which at most companies has grown wild. We bring site structures into a comprehensible shape, sort out permissions, and make the file storage usable again. How you’ll know: when nobody wants to delete a SharePoint site because no one is sure whether it’s still needed.
Intune & Autopilot (device management)
How notebooks and smartphones arrive in your company, what runs on them, and what happens when they’re lost. Autopilot means: a new device is unpacked, signed in with the company account, and configures itself. How you’ll know: when onboarding a new person currently triggers three days of setup work.
Entra ID & Conditional Access (identities + access)
Who is allowed to access what, from where — and under what conditions. This is the backbone of any honest M365 security discussion. This is where MFA is actually enforced instead of merely recommended, where risk signals are evaluated, and where the answer you want to give your auditor comes from. How you’ll know: when the question “Does everyone have MFA?” can’t be answered within ten seconds.
Defender for Office 365 / Defender for Endpoint
Protection against what actually comes at you every day — phishing emails, infected attachments, compromised endpoints. Defender is already included in many licenses, just often not properly configured. How you’ll know: when the security discussion ends with “We have a firewall.”
Copilot — when it actually makes sense
We don’t recommend Copilot as a reflex. Before we book the license, we check with you whether your SharePoint permissions are clean — otherwise Copilot makes content findable that far too many people can access through overly broad permissions, and the question “How big was management’s bonus?” suddenly becomes answerable for everyone with access. Beyond that, we measure beforehand where the benefit really emerges. For some roles (sales, marketing, back office with lots of text work) Copilot is a real lever. For others, it’s expensive shelfware. We tell you honestly which group at your company is which.
License hygiene & tenant governance
What needs to happen continuously after rollout but rarely does: who has which license, why, since when, and do they still need it? Which apps are allowed in the tenant? Who may create new Teams teams? We build a rhythm in which this is reviewed once a quarter, instead of once every three years in panic.
What you should look out for — even if you don’t go with us
- Ask to see the handover documentation BEFORE the project starts, not after. Anyone who doesn’t have a template has never done a clean handover — and you end up with a setup only your service provider understands.
- Ask about the rollback plan. When you enforce Conditional Access or roll out an Intune profile, it can lock people out. Anyone who stumbles over the question “What happens if it goes wrong?” doesn’t have a plan.
- Flat-rate offers along the lines of “M365 including support for €39 per user” usually mean first-level ticket handling. No architecture, no optimization, no license advice. That isn’t bad — but it also isn’t what most companies actually need.
- If someone recommends Copilot without first seeing your data classification and SharePoint permissions — caution. That’s sales, not consulting.
- Ask whether the service provider would ever advise you against something. A provider who never says no will sell you everything Microsoft is currently pushing. That isn’t in your interest.
- Clarify who administratively controls the tenant. If the global admin sits only with the service provider, you have a concentration risk. It doesn’t have to be that way.
When it’s time to act
- Growth is stalling because internal tools aren’t growing with you — new staff, new sites, new processes hit limits that nobody can quite name.
- Employees openly complain that “IT is slowing us down” or “nothing moves quickly” — and you sense they’re right.
- Your Microsoft license renewal is due in the next 3–9 months, and nobody knows whether the current setup still fits.
- A wave of new staff is coming (apprentices, a new department, a site expansion), and the current onboarding wouldn’t hold up.
- Your cyber insurer has sent a questionnaire asking about MFA, Conditional Access and backup status.
- NIS-2 preparation is on the agenda because you’re directly affected or have to provide evidence as a supplier.
- An audit note has flagged gaps in permissions, logging or data classification.
- A generational change in the IT department — the person who kept everything in their head is retiring or moving on.
How we work
Phase 1 — Initial conversation & assessment
We start with a 30-minute initial call, followed by a structured look into your tenant. We look at which licenses are assigned, how identities are structured, where permissions sit, what Defender reports. Deliverable: an honest assessment as a compact document that management can read too — what’s good, what’s off, what’s urgent, what can wait.
Phase 2 — Architecture plan
Based on the assessment, we work out the target state with you. Which license for which role, which Conditional Access policies, which SharePoint structure, which device lifecycle. Deliverable: an architecture plan that is comprehensible, that an external auditor can read, and that has a clear implementation order.
Phase 3 — Implementation in controlled steps
We roll out changes step by step — each step with a small test group first, then broadly, always with a rollback path. No big-bang migration with three weeks of risk. Deliverable: step by step, a tenant that helps you work instead of keeping you busy.
Phase 4 — Handover & ongoing operations
At the end there is documentation that would, in theory, let another provider take over from us at any time — deliberately so. We build operations so that you are not dependent on us. Optionally, we support ongoing operations: a quarterly license and governance review, responses to Microsoft changes, a shared roadmap. Deliverable: a tenant that runs stably in daily work, and a quarterly rhythm in which nothing “rusts away for years” anymore.
What you can expect from us — and what not
What you get:
- A direct line to the founder as your permanent point of contact — no ticket carousel, no rotating account managers.
- Immediate remote response during service hours, with honest communication when something takes longer.
- On-site visits by appointment — with our base in Viersen and short distances across the Lower Rhine region, usually possible at short notice.
- Documentation that would, in theory, let another provider take over from us at any time. That is a quality goal, not an oversight.
- Recommendations that can go against our own revenue, when that’s what’s right for you.
What we deliberately don’t do:
- On-site shuttle support with 30-minute response promises. Routine support runs faster and more transparently remotely; we schedule on-site visits where they are genuinely needed.
- Big-consultancy PowerPoints without delivery. If at the end of the project nothing runs that wasn’t running before, it wasn’t a project.
- Blanket round-the-clock availability without a clean service model. We define response paths, service hours and escalation up front instead of selling vague standby.
Where we’ll also say no:
- If you want to introduce Copilot “because everyone has it” and the benefit can’t be demonstrated — then let’s clean up the data foundation first and talk again.
- If the honest answer is: “Leave the file server for engineering alone, it runs better locally than in SharePoint.” Cloud is not automatically better.
- If what you need doesn’t actually fit a Managed M365 engagement but rather a one-off consulting piece or something else entirely.
How it starts
- A 30-minute initial conversation — free of charge, no obligation, by video or phone.
- What we clarify: current state, most urgent pain points, what’s coming up at your company in the next 6–12 months.
- Useful to have in advance, but not required: rough headcount, Microsoft license packages in use, whether there is already a service provider in the tenant.
- Engagement models: a one-time cleanup project, ongoing support in a quarterly rhythm, or a hybrid — we’ll work out what suits you in that first conversation.
Frequently asked questions
Do we have to move everything to Microsoft? No. Microsoft 365 is a platform for communication, collaboration and identity. If your ERP, your CAD application or your industry software runs better locally, it stays local. We build the workplace so that it coexists with what already runs at your company.
What happens to our existing licenses? We look at them together. Often the right answer is not “buy everything new”, but “assign existing licenses cleanly, cancel unused ones, fill specific gaps”. First the inventory, then the offer.
Do we really need Copilot? Maybe. Maybe not. We measure that up front — which roles would use it daily, which data would be affected, are the SharePoint permissions clean enough. If Copilot doesn’t deliver at your company, we say so.
How long does a tenant cleanup take? That depends heavily on size and current state. An 80-employee company with moderate sprawl is typically in a substantially better state within 4–8 weeks — a larger organization with several sites and permissions that have grown over the years takes correspondingly longer. In the initial conversation we give you an honest range.
Can we replace you if it doesn’t work out? Yes, and that’s a design goal. We document everything so that a handover to another service provider is possible at any time. The tenant belongs to you, the global admin stays with you, and the documentation is yours.
What if we don’t want to move to the cloud at all? Then we talk about what really has to go to the cloud and what doesn’t. Mail in Exchange Online usually makes sense because spam and malware protection works better on the provider’s side. CAD data on a local file server is often exactly where it belongs. Cloud is not the goal — it’s one option among several.
Related topics
- Use Case: Cleaning up an M365 tenant — grown over years, without disrupting operations
- Knowledge (German): What does Managed Microsoft 365 for 50 employees cost?
- Knowledge (German): Microsoft 365 vs. Google Workspace in the Mittelstand
Looking more for Cloud Operations instead? Services overview