Microsoft 365 Migration and Management: A Business Guide

Microsoft 365 Migration and Management: A Business Guide

Almost every business we talk to is already on Microsoft 365. Very few of them are actually managing it.

The distinction matters more than it sounds. Buying licenses gets you the platform. What you do afterward decides whether that platform is an asset or a liability, and most organizations discover which one they have on the day someone needs a file back that Microsoft no longer has.

This guide covers what a migration actually involves, how to think about licensing, what ongoing management means in practice, and the one gap that catches more businesses than everything else combined.

For hardening the security settings inside your tenant specifically, our Microsoft 365 email security configuration guide goes deep on that topic. This guide covers everything around it.

What Managed Microsoft 365 Actually Means

Having Microsoft 365 means you pay for licenses and your email works. Managing Microsoft 365 means someone is responsible for:

Most small and mid-sized businesses have exactly none of these assigned to anyone. The platform runs by default settings until something breaks, and then it becomes an emergency.

Our Hosted Exchange and Microsoft 365 services exist to own that list so it stops being nobody's job.

Migrating to Microsoft 365: What It Actually Involves

Migrations get sold as simple. They are not complicated, but they are unforgiving, and the failures are all in the details.

Discovery. Inventory what exists: mailboxes and their sizes, shared mailboxes, distribution lists, public folders, the file shares nobody has opened since 2019, the line-of-business application that sends email through the old server, and the printer with SMTP credentials hard-coded into it. That printer will break. It always does.

Planning. Decide licensing, tenant naming, domain handling, cutover approach, and what does not come along. This is the phase where you fix things rather than migrate the mess. A migration is the best chance you will get for years to clean up permissions, retire dead accounts, and restructure shared drives.

Preparation. Configure the tenant, set up identity, establish DNS records, build security baselines, and stage the data. Most of the actual work happens here, before users notice anything.

Migration. Data moves. For a staged cutover, mail syncs in the background and users switch over in waves. For a small business, a weekend cutover is often cleaner than a phased approach.

Cutover and validation. DNS flips, mail flows to the new home, and someone verifies that every mailbox, calendar, delegate permission, and shared resource actually works. This is the step that gets rushed.

Stabilization. The two weeks after go-live generate the most tickets. Signature problems, mobile devices that will not reconnect, a delegate permission that did not carry, the scanner that stopped scanning to email. Budget for it. A migration that ends at cutover is a migration that ends badly.

Typical timeline: two to four weeks for a business under 25 users with a clean environment. Four to eight weeks for 25 to 100 users. Longer if you have public folders, an on-premise application dependency, or a compliance obligation that requires the old data to be preserved in a specific way.

What goes wrong most often: underestimating mailbox sizes, forgetting the devices and applications that authenticate to the old system, migrating permissions structures nobody understands, and skipping the communication to users so the help desk drowns on Monday morning.

Choosing a License Without Overpaying

Microsoft's licensing is genuinely confusing, and the confusion is expensive in both directions.

The two failure modes are equally common. Some businesses buy the cheapest tier and then pay separately for security tools that a higher tier would have included. Others buy premium licenses for every user when only a fraction of the staff needs the advanced features.

A few principles that hold up regardless of what Microsoft renames things next quarter:

Not every user needs the same license. A warehouse worker who needs email on a phone and a controller who needs advanced compliance features do not belong on the same SKU. Mixed licensing across your tenant is normal and usually cheaper.

Compare the bundle against the alternative. Higher tiers often include security and compliance capabilities that would cost more purchased separately. Before you decline the upgrade, price what you would buy instead. Sometimes the expensive license is the cheap option.

Audit assignments regularly. The most common finding in a license review is paying for people who left. Offboarding that removes building access but not a Microsoft license is extremely common, and it quietly bills forever.

Annual commitments cost less, but lock you in. If your headcount fluctuates, the flexibility may be worth the premium.

We handle software licensing and procurement as part of managed service, largely because license sprawl is one of the easiest costs to eliminate and one of the least likely to get noticed internally.

The Gap: Microsoft Does Not Back Up Your Data

This is the section worth reading twice.

Microsoft operates under a shared responsibility model. Microsoft is responsible for keeping the platform running: physical infrastructure, network availability, service uptime, and replicating your data across data centers so the service stays online. You are responsible for your data. Backup, recovery, access management, and retention are your obligations, not Microsoft's.

Microsoft is not subtle about this. Their Services Agreement recommends that customers regularly back up their own content stored on the services.

Most business owners hear "it's in the cloud" and assume that means protected. It means available. Those are different words.

Replication Is Not Backup

Microsoft replicates your data across data centers. That protects against a data center failing. It does not protect against anything you or an attacker does to the data itself.

Delete a file, and the deletion replicates. Encrypt a file with ransomware through a synced OneDrive client, and the encrypted version replicates. Microsoft faithfully copies your disaster to three locations within minutes. That is the system working correctly, which is the problem.

The Native Retention Windows Are Shorter Than You Think

Here is what Microsoft actually keeps, and for how long:

Data typeNative retentionConfigurable?Exchange Online deleted items14 days by defaultYes, extendable to 30 days maximumSoft-deleted mailbox30 daysNoSharePoint and OneDrive recycle bin93 days across both stagesNoDeleted SharePoint site collection93 daysNoDeparted user mailbox after license removal30 daysNoDeparted user OneDrive30 days by defaultOnly if configured in advance

After those windows close, the data is permanently purged. Not archived. Not recoverable by escalating to Microsoft support. Gone.

Microsoft documents the SharePoint behavior directly in its service assurance documentation: after 93 days, sites and all their content and settings are permanently deleted, including lists, libraries, pages, and subsites.

Why the Windows Do Not Save You

Three scenarios break every one of them.

Slow-burn discovery. Most data loss is not noticed the day it happens. A finance folder that got restructured in March gets discovered as broken in August. The recycle bin closed in June.

Ransomware. Retention preserves the deleted version of a file. It does nothing about the encrypted version, because encryption is not deletion. Retention will faithfully hold your encrypted files. And attackers routinely empty recycle bins as an early step precisely because they know it is the only native recovery path.

Malicious or careless deletion. Someone with permissions who double-deletes through both recycle bin stages eliminates every native recovery option in a few clicks. Departing employees do this more often than anyone likes to admit.

Retention Policies Are Not Backup Either

This trips up sophisticated organizations. Retention policies and legal hold were built for compliance and content lifecycle governance, not for point-in-time recovery. They preserve data for discovery. They do not give you a clean copy from last Tuesday that you can restore in an hour when a department's SharePoint site gets wrecked.

A real backup is separate, point-in-time, and recoverable. That is what our SaaS backup solutions provide, and it is why we treat it as a requirement rather than an add-on for every Microsoft 365 client. Our broader take on why backup tooling fails businesses is covered in data backup tools are letting businesses down, and recovery time and point objectives explains how to decide what recovery speed you actually need.

What Ongoing Management Looks Like

After the migration, the work does not stop. It changes shape.

Identity and access. Who can get in, from where, with what. This is the foundation, and default settings are permissive.

Onboarding and offboarding. Offboarding is the one that hurts. A departed employee with a live mailbox is a security problem, a licensing cost, and a compliance issue simultaneously. It needs a repeatable process, not a memory.

Permission drift. SharePoint permissions degrade over time. Someone shares a folder externally to solve a Tuesday problem, and that link works forever. Periodic review is the only fix.

External sharing governance. Default settings allow more external sharing than most businesses intend. Worth an explicit decision rather than an accident.

Backup verification. A backup that has never been restored is a theory. Testing is the difference between having backup and having recovery.

Change management. Microsoft ships changes constantly. Some are improvements. Some alter your security posture without asking. Someone needs to be reading the message center, and it will not be you.

Monitoring. Compromised Microsoft 365 accounts are among the most common security incidents SMBs experience. Unusual sign-ins, mail forwarding rules quietly created by an attacker, and MFA registrations from unexpected devices are all detectable if someone is watching. Our help desk and remote support and security operations cover this as standard.

Who This Matters Most For

Regulated businesses. If you are subject to HIPAA, FFIEC, or PCI DSS, your Microsoft 365 configuration is in scope for audit, and "we used the defaults" is not a control. Compliance management applies to your tenant the same as to your network.

Healthcare practices. Patient data in a Microsoft 365 tenant carries the same obligations as patient data anywhere else, including the retention and recovery requirements. See our healthcare industry services.

Financial institutions. Examiners ask about data recovery capability, and the answer needs to be more specific than the recycle bin. See our banking industry services.

Any business that has been on 365 for more than three years. Configuration drift is real. Tenants accumulate stale accounts, forgotten sharing links, and licenses for people who left in 2023.

Common Questions

Does Microsoft back up my Microsoft 365 data?No. Microsoft maintains infrastructure redundancy so the service stays available, which is not the same as backing up your data so you can recover it. Under the shared responsibility model, backup and recovery of your content is your obligation, and Microsoft's own Services Agreement recommends that customers back up their content.

How long does Microsoft keep deleted emails and files?Exchange Online deleted items are recoverable for 14 days by default, extendable to a 30-day maximum. SharePoint and OneDrive recycle bins hold items for 93 days across both stages, and that window is not configurable. After those periods, data is permanently purged and cannot be recovered, including by Microsoft support.

Can ransomware affect data in Microsoft 365?Yes. Ransomware can encrypt files that sync to OneDrive and SharePoint through desktop sync clients, and the encrypted versions replicate normally. Retention preserves deleted items, not encrypted ones, so native features do not get you back to a clean copy.

How long does a Microsoft 365 migration take?Two to four weeks for a business under 25 users with a straightforward environment, and four to eight weeks for 25 to 100 users. Public folders, on-premise application dependencies, and compliance requirements extend the timeline.

Do I still need backup if I have retention policies and legal hold?Yes. Retention and legal hold were built for compliance preservation, not point-in-time recovery. They will preserve encrypted or corrupted data faithfully. Backup gives you a separate, restorable copy from before the problem.

Which Microsoft 365 license does my business need?It depends on your security and compliance requirements, and you probably need more than one type. Mixed licensing across a tenant is normal. Before declining a higher tier, price the security tools you would buy separately to replace what it includes, because the bundle is frequently cheaper.

What happens to a departed employee's data?Once the license is removed, the mailbox is permanently deleted after 30 days. OneDrive data is retained for 30 days by default, extendable only if configured in advance. This is why offboarding needs a documented process rather than an ad hoc one.

Getting Your Tenant Under Control

Microsoft 365 is an excellent platform that assumes someone competent is administering it. For most small and mid-sized businesses, nobody is, and the gap does not surface until a file is gone or an account is compromised.

Harbour Technology Consulting has managed Microsoft environments for businesses across Dayton, Cincinnati, Columbus, and Indianapolis for more than 20 years, including migrations, licensing optimization, tenant hardening, and the backup layer Microsoft expects you to provide yourself.

Contact us for a Microsoft 365 assessment, or call (937) 428-9234.

Related Reading

Request a Free IT Assessment

Schedule a free assessment to evaluate your current IT setup and discover how our services can enhance your business.

Get In Touch