Every week I sit down with an IT leader who is paying for Microsoft 365 E3 or E5 and using maybe 30% of it. Not because the other 70% is not valuable, but because of some roadblock that stalls their ability to put it to good use.
That is the state of Microsoft 365 in most mid-market organizations. The license is access to a set of capabilities. What you actually get depends entirely on whether you go in with a plan to put them to good use.
I run what I call Microsoft 365 Productivity, Security, and Compliance Roadmaps for companies of all sizes. A two-week effort that delivers a prioritized, defensible plan that executives can fund. Two weeks -- that's what it takes -- about 20 hours max of a client's attention. It's probably one of the things I do that creates the most value long-term for clients and it happens to be one of the lightest budget lifts. If you are going to invest five, six, seven figures in licensing, it's worth two weeks to build a plan for it.
The same themes come up in almost every engagement.
Identity and endpoint management is still the biggest gap.
Entra ID and Intune are table stakes for a secure, well-managed Microsoft 365 environment.
Most agree that modern authentication and cloud-based endpoint management provides more security, visibility, and reduces management time once you are there. The transition is the hard part. Getting from on-prem Active Directory and legacy device management to modern identity, conditional access, and Intune-managed endpoints is a real project with real dependencies. It requires planning, phased rollout, and someone willing to push through the friction within the organization. Organizations that skip the planning usually stall halfway through, end up with a hybrid mess, and wonder why their security posture has not improved.
The goals are clear:
- All users on Entra ID cloud-based identities to secure their identity and access.
- Everyone on Entra ID joined devices with strong conditional access policies for complete visibility.
- Every device managed from the cloud for consistent policy, visibility, and reduced management costs.
- Users able to flexibly and securely work from where they need to.
Here is the high-level plan to achieve it:
- Align business goals. Understand the needs of the business, how users work, where they do it, and what tools they need to be successful.
- Define your Identity and Access Management policy. Understand what secure authentication looks like in every scenario.
- Define the out of the box experience. What does the full user and device lifecycle need to look like?
- OneDrive. Known folder redirection to OneDrive allows files to come with users during profile transition.
- Intune. Simplified management and consistency for desktops, laptops, and mobile. Enroll devices, define and enforce policy, manage patching, deploy applications.
- Rollout. Plan your rollout schedule -- by device refresh cycle, by group, or a combination.
- Change Management. Communication is critical to the end user experience. Value isn't achieved until users can do their work effectively with the tools provided.
Legacy file shares are unfinished business for most IT teams.
Where does the data go? SharePoint? OneDrive? Teams? The answer depends on how your teams actually work, and most organizations have not thought it through before they started migrating. The result is data spread across too many places, no consistent lifecycle policy, and storage costs that keep climbing.
Think about data across three tiers:
- Personal Data -- created by users, shared ad-hoc. The owner determines access.
- Department/Group Data -- requires a single source of truth, strict role-based access controls, and structure.
- Application Data -- users interact with through an application and rarely access directly via file system.
Mapping data to the right location lets you make decisions at scale rather than case-by-case.
AI is creating pressure IT teams are not ready for.
AI is already in your users' hands in some form. The pressure to deliver Copilot capabilities is real and not going away.
The organizations getting real value from Copilot started with a specific business problem -- meeting recaps taking too long, first drafts eating half a writer's day, help desk resolution time too slow. Something measurable. Then they deployed to that team first, measured the outcome, and expanded from there.
Data governance and compliance are a parallel workstream, not a prerequisite. You can leverage Agents to provide AI-driven outcomes while curating their knowledge locations to data you can use today. Simultaneously, you can be running a prioritized data modernization and compliance initiative.
Agent governance is a newer discipline, and most IT teams are figuring it out in real time. The organizations that will do this well are the ones building the data governance foundation now, before the pressure becomes impossible to ignore.
Fragmented security platforms are expensive and hard to manage.
EDR from one vendor. Anti-spam from another. Identity protection somewhere else. Most mid-market organizations have accumulated security tools over years of individual decisions, and nobody has stepped back to ask whether they actually work together.
Microsoft Defender consolidates most of this. Defender for Endpoint, Defender for Identity, Defender for Office 365, Defender for Cloud Apps, and Defender for Cloud are designed to share signal and work as a unified platform, with Sentinel sitting above it as the SIEM and SOAR layer. Organizations on E5 are often already paying for this. They are just not using it.
The primary advantage is increased security. The added benefit is that a consolidated platform costs less than a series of stitched-together solutions in both licensing and support.
Understanding the capability and putting it into play
Microsoft 365 is one of the most capable platforms in enterprise IT. It is also one of the most consistently underused. The gap between what organizations pay for and what they actually get is not a licensing problem. It is an implementation problem.
It's a small investment to build a plan, prioritize it, and be ready to execute.