Most organizations use only a fraction of Microsoft 365. The gap is not licensing. It is lack of implementation planning. This guide outlines how to unlock value across identity, data, security, and AI.
Why Microsoft 365 Is Underutilized
Every week, I sit down with an IT leader who is paying for Microsoft 365 E3 or E5 and using maybe 30% of it. Not because the other 70% is not valuable, but because of some roadblock that stalls their ability to put it to use.
That is the state of Microsoft 365 in most mid-market organizations. The license is access to a set of capabilities. What you actually get depends entirely on whether you go in with a plan to put them to good use.
What a Microsoft 365 Roadmap Actually Delivers
I run what I call Microsoft 365 Productivity, Security, and Compliance Roadmaps for companies of all sizes. A two-week effort that delivers a prioritized, defensible plan that executives can fund. Two weeks – that’s what it takes – about 20 hours max of a client’s attention. It’s probably one of the things I do that creates the most value long-term for clients, and it happens to be one of the lightest budget lifts. If you are going to invest five, six, seven figures in licensing, it’s worth two weeks to build a plan for it.
The same themes come up in almost every engagement. Ok, off my soapbox, here is an actual post about what I see most often.
Identity and Endpoint Management: The Biggest Gap
Entra ID and Intune are table stakes for a secure, well-managed Microsoft 365 environment.
Most (although there are still a few out there) agree that modern authentication (cloud auth, CA & device trust) and cloud-based endpoint management provide more security, visibility, and reduce management time once you are there. The transition is the hard part. Getting from on-prem Active Directory and legacy device management to modern identity, conditional access, and Intune-managed endpoints is a real project with real dependencies. It requires planning, phased rollout, and someone willing to push through the friction within the organization. Organizations that skip the planning usually stall halfway through, end up with a hybrid mess, and wonder why their security posture has not improved.
The goals are clear; the business wants these outcomes:
- All users on Entra ID cloud-based identities are able to secure their identity and access.
- Everyone on Entra ID joined devices with strong conditional access policies to have complete visibility of their users, devices, and company data.
- Every device is managed from the cloud so they can have a consistent policy, visibility, and a reduction in management costs.
- Users to be able to flexibly and securely work from where they need to (not everywhere).
A Practical Plan for Entra ID and Intune
Here is the high-level plan to achieve it:
- Align business goals – Understand the needs of the business, how users (and agents) work, where they do it, and what tools they need to be successful. All decisions from this point need to align with this goal to avoid missing the mark.
- Define your Identity and Access Management (IAM) policy – Understand what secure authentication looks like in every scenario.
- Define the out-of-the-box experience (OOTB) – What does the full user and device lifecycle need to look like?
- OneDrive – The largest friction point in transition is getting users into their new profiles. Known folder redirection to OneDrive allows their files to come with them. Big win for the end user experience.
- Intune – Simplified management and consistency for desktops, laptops, and mobile devices creates a more secure and stable solution. Fewer issues, lower support costs.
- Enroll devices – often with existing tools/scripts – visibility and reach are a valuable first step.
- Define and enforce policy – don’t waste time migrating legacy GPOs. Build what your policy should be to align with the new capability.
- Patching and updating – drive consistency with patch and update policies to start bringing everyone to a consistent posture.
- Application deployments – package applications starting with the big ones (M365 Apps) and work your way down the list.
- Rollout – plan your rollout schedule. Everyone getting new devices? Rollout as devices retire and get refreshed? Group by Group? A combination of them all? All are valid strategies. Just be prepared to chase down that last 10% of users or so.
- Change Management – This is the most misunderstood part of the entire program. Communication is critical to the end-user experience. Build and execute a well-defined organizational change management (OCM) strategy. Value isn’t achieved until users can do their work effectively with the tools we provide. There is little to no value in a technical solution that doesn’t get adopted.
Lot’s more in the playbook on what we still see as the #1 priority for most clients. Modernizing their authentication and management tools.
Modernizing File Shares Without Breaking the Business
We all know why we need to move on. Security blind spots, inaccessible to AI, rising storage costs, etc., but it’s tricky to get there.
Where does the data go? SharePoint? OneDrive? Teams? The answer depends on how your teams actually work, and most organizations have not thought it through before they started migrating. The result is data spread across too many places, no consistent lifecycle policy, and storage costs that keep climbing.
The harder problem is adoption. You can move the files. Getting users to change how they work is a different project entirely. The organizations that do this well build momentum by starting with the team most willing to change, getting them working well in the new environment, and letting that become the standard everyone else follows.
The hardest part for some is understanding what data to move. Do I move it all, then clean up? Do I clean up, then move? Either way works, and neither way is 100% accurate. The main thing we need to avoid is inaction because we don’t have a perfect picture.
We will get more into pressures driving the need to modernize where data lives in the coming section, but first, let’s focus on the approach. I always encourage clients to think about their data across three tiers.
Personal Data – data that is created by users and shared ad hoc with their peers. The owner of the data determines who gets access.
Department/Group Data – data that requires a single source of truth, strict role-based access controls, and structure.
Application Data – data that users interact with through an application and rarely directly access via a file system.
Doing this allows us to map appropriately where data should live based on its type. Then we can solve the challenges above:
- Define your data lifecycle – technical decisions can’t get made without clear direction.
- Target low-hanging fruit for archiving – make easy decisions on large swaths of data against the defined retention plan.
- Personal Data -> OneDrive & Teams
- Department Data -> SharePoint & Teams, but is presented back through OneDrive for easy access
- Application Data -> Azure Files (hot data) and BLOB Storage (archive)
- Let your retention policy come to life and manage through your data lifecycle, not individual datasets.
- Support – You will inevitably archive something that shouldn’t be archived. Have a plan to restore it back to hot storage. Support will be at its highest week one, and you’ll barely notice it by week three.
Getting data into places where it can be utilized effectively is cited as one of the biggest opportunities when we do roadmaps for a reason. Users want flexible access, security needs better visibility into that access, the business needs better identification and classification of where sensitive data is, etc. Those are things we just can’t achieve effectively with legacy file share platforms.
AI Pressure Is Here. Most Teams Aren’t Ready.
AI is already in your users’ hands in some form. Agents are coming faster than most IT departments can absorb them. The pressure to deliver these capabilities is real, and it is not going away.
I’d like to tackle this in two ways based on the conversations we have and where I see most get stuck.
The first direction is the pressure to adopt AI from business leaders due to promises of productivity gains. Licenses are purchased, users start leveraging Copilot, and adoption falls off a cliff after the initial excitement wave passes. It’s not that Copilot isn’t effective, it’s that it needs a clear plan, communication, and agreement on the problem Copilot will solve. Copilot is a tool just like any other tool. Here is a short framework for how we might go about planning with an AI Readiness Roadmap.
- Structured Discovery. Let’s identify up to 10 opportunities for AI and automation, outline the objectives, and discuss the technical components.
- Prioritized Roadmap. Let’s build a plan for the implementation, testing, and measurement (time saved, quality improvement, reduced rework, or my favorite: increased reach and revenue) of value loops we need to measure success.
- Production. Let’s build those solutions based on their impact, measure the result, and reinvest in the numerous ideas that spawn from AI success.
The second direction is more of a blocker. Concerns about data security and governance. We addressed the need to house data in modern locations in the previous section. That is often a roadblock in businesses. Questions about security, oversharing, data loss prevention, etc., come up. All are very important and all are addressable with Microsoft Purview. However, we don’t need to get to 100% to extract benefits from AI securely. These are parallel processes. You can leverage Agents to provide AI-driven outcomes while curating their knowledge locations to data you can use today. Simultaneously, you can be running a prioritized data modernization and compliance initiative that provides more trusted locations where you have visibility and control over who and what has access to your information.
Agentic is taking off, but we haven’t even scratched the surface yet. The pressure is about to go way up. The launch of Cowork, autonomous agents, and the concept of ambient AI is going to increase the transformation of how business gets done. The current phrase I hear all the time is “SaaS is dead”. It’s hard to visualize a future where we don’t interact with apps but only agents, but at the same time, it’s not THAT hard. With Ambient AI, do you really need websites, or do you just need results? “Computer, book me that tee time. You know, the one that fits my schedule where the weather is in my tolerance range and all my friends are available.” You can leave that last part out, the AI knows you.
This is another area where the new business has a speed and agility advantage over the established business, drowning in legacy tech debt and processes. Clients love to discuss how to innovate and stay ahead.
Agent 365 adds another layer. Governance for AI agents is a newer discipline, and most IT teams are figuring it out in real time. The organizations that will do this well are the ones building the data governance foundation now, before the pressure becomes impossible to ignore.
Here is what people need to do now:
- Data governance hygiene
- Access controls
- Agent governance models
Lastly, step out of your past. I know it’s hard for me sometimes– I’ve been doing this for a few decades. Really think, how would I build this business from scratch today? Move towards your gut instinct.
Security Tool Sprawl vs. Platform Consolidation
EDR from one vendor. Anti-spam from another. Identity protection somewhere else. CASB on top of that. Most mid-market organizations have accumulated security tools over the years through individual decisions, and nobody has stepped back to ask whether they actually work together. The trend in the industry has been to adopt best of platform and augment with third-party where specific gaps or needs are required. This consolidation simplifies security, provides unique visibility, and most importantly, allows for correlation of events across the stack more efficiently by non-human processes (Automation and Agents). This increases security and makes security monitoring more efficient.
Microsoft Defender consolidates most of this. Defender for Endpoint, Defender for Identity, Defender for Office 365, Defender for Cloud Apps, and Defender for Cloud. These are designed to share signal and work as a unified platform, with Sentinel sitting above it as the SIEM and SOAR layer. Organizations that have invested in E5 are often already paying for this. They are just not using it. I’ve had the ability to see a lot of fragmented systems. A combination of that expertise, some best practices from our ThreatDefender MXDR team, and just following what I’ve seen work for other clients has helped with this planning.
The primary advantage is increased security. The great benefit is that the platform costs less than a series of stitched-together solutions in both licensing and support.
Microsoft 365 Success Is an Implementation Problem
Microsoft 365 is one of the most capable platforms in enterprise IT. It is also one of the most consistently underused. The gap between what organizations pay for and what they actually get is not a licensing problem. It is an implementation problem.
It’s a small investment to build a plan. Prioritize it and be ready to execute.
Build Your Microsoft 365 Roadmap
Turn underused licenses into measurable business value with a prioritized, executive-ready plan.
