Your Microsoft 365 tenant has grown along over three, four, five years — and nobody at the company can honestly say anymore who needs which license, which SharePoint site is still alive and why there are 14 distribution lists with similar names. This page describes what a structured cleanup looks like, without operations standing still or people getting locked out by accident.
Do you have this situation?
- Licenses were touched over the years whenever someone joined or quit — but never gone through systematically. Today there’s E5 for people who only use mail and Teams, and Business Basic for someone who actually needs Power BI.
- SharePoint sites have grown wild: one per project, several per department, some created by employees long gone. Nobody wants to delete one because no one knows whether it’s still needed.
- Permissions are a tangle of direct assignments, groups, inherited rights and “Everyone in the company” sharing links that someone once quickly sent out.
- There are four global admins — two of them are former employees, one is the former service provider, and the fourth is a service account with a password that hasn’t been changed since 2022.
- When someone asks “Who actually has access to the management folder?”, you don’t get an answer but a ten-minute click tour through SharePoint permissions that ends with “actually only the right people, I think”.
Why solve this now instead of postponing
- License renewal is up. In the next 3–9 months your Microsoft contract renews. Without a clean inventory you keep paying for licenses nobody uses, and possibly buy on top.
- A wave of new staff is coming. New apprentices, a new site, a department being doubled — the current onboarding improvisation won’t hold up.
- The cyber insurer or auditor asked. MFA status, admin roles, Conditional Access, data classification — and you noticed that the honest answer right now would be “We don’t know exactly”. That should be cleaned up before someone does it for you.
How it would look at your company
Step 1 — Honest and complete assessment (week 1–2)
We go through your tenant with read access and pull the hard data: which licenses are assigned, which are actually used (sign-in logs, app usage), who is admin, how many SharePoint sites exist, which of them have seen activity in the last 90 days, what is the MFA status, which Conditional Access policies are enforced. The result is a compact document — what’s good, what’s off, what’s urgent, what can wait. Readable for management as well.
Stack: Microsoft Graph, Entra ID sign-in logs, SharePoint Admin Center, Microsoft 365 Admin Center, Defender for Cloud Apps (where available).
Step 2 — Define the target picture (week 2–3)
Together with you we clarify the target state: which license profiles fit which roles at your company? Who really needs E5, who is fine with Business Premium? What should the SharePoint structure look like if it were thought through afresh? Who is allowed to be admin in future, and under what conditions? This won’t be a mountain of PowerPoint — it will be a short architecture sketch you understand and can agree to.
Stack: Confluence/Notion/SharePoint for the documentation, depending on where your documentation home is.
Step 3 — Cleanup in controlled waves (week 3–8)
We don’t implement everything at once. The order is deliberate: first admin roles and MFA — that’s the biggest security risk and at the same time the one that disturbs end users the least. Then license reallocation in small groups, always with prior testing. Then SharePoint cleanup with clear announcement to site owners about what will happen: archived, deleted, restructured. Each wave has a rollback path in case something snags.
Stack: PIM (Privileged Identity Management), Entra ID Access Reviews, SharePoint Admin Center, Defender for Office, Intune (when devices are affected).
Step 4 — Handover and quarterly rhythm (week 8+)
At the end there is documentation with which someone else could understand your configuration — built that way on purpose. Plus a quarterly rhythm for license check, admin review and SharePoint activity report, so that the next “grown over the years” doesn’t even start to form.
What you should look out for along the way
- Ask to see the rollback plan before anyone touches anything in the tenant. Whoever hesitates when asked “What happens if this Conditional Access policy locks out 200 people?” doesn’t have a plan yet. A good plan has a test group, reporting on risky sign-ins and an emergency admin access.
- Ask about the communication strategy for end users. When you archive SharePoint sites or switch licenses, the people affected have to know beforehand — otherwise the tickets land with you, not with the service provider.
- Keep the Global Admin role. At least one person in your company must be able to deactivate any external service provider in the tenant. If the service provider wants it differently — warning signal.
- Watch out for “We’ll migrate that over the weekend” offers. Tenant cleanup is detail work. Whoever sells it as a weekend action has either a very small setup or very large optimism.
What realistically changes afterwards
- You have a list in which every active license shows who has it, why, and when that was last reviewed. The same applies to admin roles.
- New employees get a clean onboarding path — license profile, groups, standard apps. Instead of three days of setup work per person, it’s half an hour.
- The question “Does everyone have MFA?” is answerable in ten seconds. The question “Who has access to management data?” likewise.
- SharePoint has a comprehensible structure in which the main user groups find what they’re looking for again. The discussion “do we take mail or Teams?” moves from habit to rule.
- At the next license renewal you negotiate on the basis of usage data, not on “last year we had it like this”.
What you contribute
- Access: a global admin in the tenant who gives us read and later configuration rights in a targeted way. We don’t work with our own permanent admin accounts.
- Stakeholder time: one person from your IT (or with IT responsibility) who is reachable — estimated 2–4 hours per week during the active phases. Plus management for two or three short decision points.
- Knowledge of quirks: which department works how, who reacts sensitively to tool changes, are there special licenses for external service providers, is there shadow IT somewhere that only a few people know about.
- Willingness to co-document. We deliver the structured documentation — but the answer to “Why does the marketing department actually have its own SharePoint site?” comes from your house.
Risks & when it does NOT fit
- If a migration is running in parallel — from an old Exchange server, from Google Workspace or from another tenant — then cleanup only makes sense once the migration is finished. Before that, you’re touching a moving target.
- If there is no consensus in-house that it’s a problem. Tenant cleanup is not a gift to end users, but a change. If management isn’t behind it but treats it as a pure IT task, it fails on communication, not on technology.
- If you’re currently in an acute security incident. Then first incident, then forensics, then hardening, then cleanup — not jumbled.
- If the expectation is to roll out Copilot broadly in four weeks without cleaning up the data basis. Then first clean up, then Copilot — otherwise Copilot sees data it shouldn’t see.
How the conversation starts
30 minutes initial conversation, free of charge, by video or phone. What we clarify: rough headcount, license packages in use, who currently administers the tenant, what the current trigger is (renewal, new wave, audit, insurer). From this it emerges whether a cleanup project is the right path or whether something else should come first.
Response to a request is remote immediately during service hours. An initial conversation can typically be set up within 3–5 working days — depending on what’s going on with me, honestly speaking in solo operation.
Frequently asked questions
How long does it typically take? Picture an 80-employee company with moderate sprawl — that’s usually in a substantially better state in 4–8 weeks. An organization with multiple sites and more entangled permissions takes correspondingly longer. In the initial conversation we name an honest range, not wishful thinking.
Do we have to interrupt work? No. The point of the step-by-step approach is that daily operations continue. End users in the best case only notice that their sign-in now requires MFA and that an old SharePoint site is archived after prior announcement.
What happens to the data in sites we delete? Nothing is deleted without explicit approval. Suspiciously dead sites are first archived (readable, but no longer writable), site owners are informed, and only after a grace period is a final decision made. Backup belongs in front of this anyway — we check that along the way.
Can’t we do this ourselves? If you have a person in-house who masters Microsoft Graph, Entra ID concepts, SharePoint permission inheritance and license mapping in their sleep — yes, of course. If that person is needed full-time for other things, an external sprint that gets it done in weeks instead of months is worthwhile.