Home / Services / Managed M365

Managed Microsoft 365 — when your workplace should finally help instead of slowing you down

Clean Microsoft 365 for mid-market companies in the Lower Rhine region and NRW — with honest recommendations, even when the answer is: leave it out.

Microsoft 365 has been rolled out at your company — but somehow it isn’t delivering what everyone promised. License costs keep rising, nobody knows exactly who uses what, Teams is there, but it feels like everyone works around it in WhatsApp and email. We build a clean Microsoft 365 operation for mid-market companies (the German Mittelstand), where every license has a reason, every feature has an owner, and daily work gets easier again.

Does this sound familiar?

Why this happens

At most mid-market companies, Microsoft 365 gets introduced during a phase when something acute is driving the change — Covid home office, an Exchange server that no longer receives updates, a new site that needs to be connected. The rollout is ordered from a service provider, the tenant is spun up, mailboxes are migrated, and at some point “Microsoft 365 is live” gets reported. What almost never gets planned in that moment is tenant governance — the question of who is allowed to do what, who manages what, and how that can still be justified three years later.

On top of that, Microsoft’s licensing world has been getting denser every year. Business Basic, Business Standard, Business Premium, E1, E3, E5, plus add-ons for Copilot, Teams Premium, Defender, Power Apps, Intune Suite. Even people who do this for a living have to check the license guides regularly. In your company, nobody has the job of watching this weekly — and that’s completely normal.

In parallel, Microsoft pushes new features into the tenant every quarter. Copilot, Loop, Planner Premium, new Defender policies, new Conditional Access templates. A mid-market company that doesn’t happen to have a dedicated M365 governance role simply can’t evaluate all of that properly. It sits untouched until it hurts.

And finally: mid-market IT departments are usually staffed with generalists who have to cover a wide stack spanning network, servers, ERP interfaces and endpoints. M365 is one of twenty topics — not a specialty. That’s exactly where we come in.

What’s actually involved

Exchange Online & Teams

What carries most of the visible communication load in your daily work. Clean mailbox structures, sensible distribution-list logic, clear ground rules between email and Teams. How you’ll know it’s not working: when the question “Where do I find this?” is regularly answered with “Search your mail history”.

SharePoint & OneDrive

The place where files should actually live — and which at most companies has grown wild. We bring site structures into a comprehensible shape, sort out permissions, and make the file storage usable again. How you’ll know: when nobody wants to delete a SharePoint site because no one is sure whether it’s still needed.

Intune & Autopilot (device management)

How notebooks and smartphones arrive in your company, what runs on them, and what happens when they’re lost. Autopilot means: a new device is unpacked, signed in with the company account, and configures itself. How you’ll know: when onboarding a new person currently triggers three days of setup work.

Entra ID & Conditional Access (identities + access)

Who is allowed to access what, from where — and under what conditions. This is the backbone of any honest M365 security discussion. This is where MFA is actually enforced instead of merely recommended, where risk signals are evaluated, and where the answer you want to give your auditor comes from. How you’ll know: when the question “Does everyone have MFA?” can’t be answered within ten seconds.

Defender for Office 365 / Defender for Endpoint

Protection against what actually comes at you every day — phishing emails, infected attachments, compromised endpoints. Defender is already included in many licenses, just often not properly configured. How you’ll know: when the security discussion ends with “We have a firewall.”

Copilot — when it actually makes sense

We don’t recommend Copilot as a reflex. Before we book the license, we check with you whether your SharePoint permissions are clean — otherwise Copilot makes content findable that far too many people can access through overly broad permissions, and the question “How big was management’s bonus?” suddenly becomes answerable for everyone with access. Beyond that, we measure beforehand where the benefit really emerges. For some roles (sales, marketing, back office with lots of text work) Copilot is a real lever. For others, it’s expensive shelfware. We tell you honestly which group at your company is which.

License hygiene & tenant governance

What needs to happen continuously after rollout but rarely does: who has which license, why, since when, and do they still need it? Which apps are allowed in the tenant? Who may create new Teams teams? We build a rhythm in which this is reviewed once a quarter, instead of once every three years in panic.

What you should look out for — even if you don’t go with us

When it’s time to act

How we work

Phase 1 — Initial conversation & assessment

We start with a 30-minute initial call, followed by a structured look into your tenant. We look at which licenses are assigned, how identities are structured, where permissions sit, what Defender reports. Deliverable: an honest assessment as a compact document that management can read too — what’s good, what’s off, what’s urgent, what can wait.

Phase 2 — Architecture plan

Based on the assessment, we work out the target state with you. Which license for which role, which Conditional Access policies, which SharePoint structure, which device lifecycle. Deliverable: an architecture plan that is comprehensible, that an external auditor can read, and that has a clear implementation order.

Phase 3 — Implementation in controlled steps

We roll out changes step by step — each step with a small test group first, then broadly, always with a rollback path. No big-bang migration with three weeks of risk. Deliverable: step by step, a tenant that helps you work instead of keeping you busy.

Phase 4 — Handover & ongoing operations

At the end there is documentation that would, in theory, let another provider take over from us at any time — deliberately so. We build operations so that you are not dependent on us. Optionally, we support ongoing operations: a quarterly license and governance review, responses to Microsoft changes, a shared roadmap. Deliverable: a tenant that runs stably in daily work, and a quarterly rhythm in which nothing “rusts away for years” anymore.

What you can expect from us — and what not

What you get:

What we deliberately don’t do:

Where we’ll also say no:

How it starts

Book an initial conversation

Frequently asked questions

Do we have to move everything to Microsoft? No. Microsoft 365 is a platform for communication, collaboration and identity. If your ERP, your CAD application or your industry software runs better locally, it stays local. We build the workplace so that it coexists with what already runs at your company.

What happens to our existing licenses? We look at them together. Often the right answer is not “buy everything new”, but “assign existing licenses cleanly, cancel unused ones, fill specific gaps”. First the inventory, then the offer.

Do we really need Copilot? Maybe. Maybe not. We measure that up front — which roles would use it daily, which data would be affected, are the SharePoint permissions clean enough. If Copilot doesn’t deliver at your company, we say so.

How long does a tenant cleanup take? That depends heavily on size and current state. An 80-employee company with moderate sprawl is typically in a substantially better state within 4–8 weeks — a larger organization with several sites and permissions that have grown over the years takes correspondingly longer. In the initial conversation we give you an honest range.

Can we replace you if it doesn’t work out? Yes, and that’s a design goal. We document everything so that a handover to another service provider is possible at any time. The tenant belongs to you, the global admin stays with you, and the documentation is yours.

What if we don’t want to move to the cloud at all? Then we talk about what really has to go to the cloud and what doesn’t. Mail in Exchange Online usually makes sense because spam and malware protection works better on the provider’s side. CAD data on a local file server is often exactly where it belongs. Cloud is not the goal — it’s one option among several.

Looking more for Cloud Operations instead? Services overview