Home / Use Cases / Tenant Cleanup

How do we clean up a Microsoft 365 tenant that has grown organically over the years?

Clean up licenses, SharePoint sites and admin roles in a structured way — without disrupting operations. How to tidy up your Microsoft 365 tenant.

Your Microsoft 365 tenant has grown organically over three, four, five years — and nobody in the company can honestly say anymore who needs which license, which SharePoint sites are still in use, or why there are 14 distribution lists with near-identical names. This page describes what a structured cleanup looks like — without bringing operations to a halt or locking people out by accident.

Does this sound familiar?

Why now — and not later

What this would look like at your company

Step 1 — An honest, complete assessment (weeks 1–2)

We go through your tenant with read-only access and pull the hard data: which licenses are assigned, which are actually used (sign-in logs, app usage), who has admin rights, how many SharePoint sites exist, which of them have seen activity in the last 90 days, what the MFA status is, and which Conditional Access policies are actually enforced. The result is a compact document — what’s in good shape, what’s off, what’s urgent, what can wait. Written so management can read it too.

Stack: Microsoft Graph, Entra ID sign-in logs, SharePoint Admin Center, Microsoft 365 Admin Center, Defender for Cloud Apps (where available).

Step 2 — Define the target state (weeks 2–3)

Together with you, we define what good looks like: which license profiles fit which roles in your organization? Who genuinely needs E5, and who is fine with Business Premium? What would the SharePoint structure look like if it were designed from scratch? Who gets to be an admin going forward, and under what conditions? This won’t be a mountain of PowerPoint — it will be a short architecture sketch you can understand and sign off on.

Stack: Confluence/Notion/SharePoint for the documentation, depending on where your documentation lives.

Step 3 — Cleanup in controlled waves (weeks 3–8)

We don’t change everything at once. The order is deliberate: admin roles and MFA first — the biggest security risk and, at the same time, the change end users notice least. Then license reallocation in small groups, always tested beforehand. Then the SharePoint cleanup, with clear advance notice to site owners about what happens to each site: archived, deleted or restructured. Every wave has a rollback path in case something goes wrong.

Stack: PIM (Privileged Identity Management), Entra ID Access Reviews, SharePoint Admin Center, Microsoft Defender for Office 365, Intune (where devices are affected).

Step 4 — Handover and a quarterly rhythm (week 8+)

At the end, you get documentation that would let someone else understand your configuration — deliberately built that way. Plus a quarterly rhythm of license checks, admin reviews and SharePoint activity reports, so the next “it just grew over the years” never gets a chance to form.

What to look out for

What realistically changes afterwards

What you contribute

Risks & when it does NOT fit

How the conversation starts

A 30-minute initial conversation, free of charge, by video or phone. What we cover: rough headcount, the license packages in use, who currently administers the tenant, and what triggered this now (renewal, new hiring wave, audit, insurer). From there it becomes clear whether a cleanup project is the right move — or whether something else needs to come first.

Remote response is immediate during service hours. An initial conversation can typically be arranged within 3–5 working days; we confirm the next available slot as soon as you get in touch.

Book an initial conversation

Frequently asked questions

How long does it typically take? Picture a company with 80 employees and moderate sprawl — it’s usually in noticeably better shape within 4–8 weeks. An organization with multiple locations and more deeply entangled permissions takes correspondingly longer. In the initial conversation we give you an honest range, not wishful thinking.

Do we have to interrupt our work? No. The whole point of the step-by-step approach is that daily operations keep running. In the best case, end users only notice that sign-in now requires MFA and that an old SharePoint site gets archived — with advance notice.

What happens to the data in sites we delete? Nothing is deleted without explicit approval. Sites that look dead are archived first (readable, but no longer writable), the site owners are informed, and only after a grace period is the final decision made. A backup belongs in place before any of this anyway — we check that as part of the project.

Can’t we do this ourselves? If you have someone in-house who knows Microsoft Graph, Entra ID concepts, SharePoint permission inheritance and license mapping inside out — yes, absolutely. If that person is needed full-time for other things, an external sprint that gets it done in weeks instead of months pays off.