A construction company in London picked up the phone to me a few months after their Microsoft 365 migration was signed off as complete.
I asked what their current MSP was actually doing for them. The answer was simple. Tickets get raised to create a user. Tickets get raised to offboard a user. That was it.
Nothing on security. No visibility on which files were shared with whom or with the outside world. No training on SharePoint or OneDrive, so the team used neither properly. Documents lived where they had always lived, on someone's desktop, in someone's inbox, on a USB stick in a site office.
The migration had finished months earlier. The invoice had been paid. The project plan said complete. From the outside it looked done.
From the inside, nobody knew what was going on inside their own Microsoft 365 tenant.
That call is the reason this article exists.
The Migration Is the Easy Part
If you are reading this and your business has just been through, or is about to go through, a Microsoft 365 migration, here is something you will not hear from the company doing it for you.
The migration itself is the easy bit.
The tooling is mature. The process is well rehearsed. Mailboxes move. Files move. Domains cut over. A reasonably competent technician can run a small or medium migration with very few surprises. The three weeks of project work that everyone focuses on is the part that almost always goes fine.
What determines whether your investment in Microsoft 365 actually pays off, or quietly turns into a mess, is not the migration. It is the six months that follow it.
That is the part nobody scopes. Nobody quotes. Nobody warns you about.
So let me walk you through it.
- The cutover is the rehearsed, well-tooled part, it almost always goes fine
- The real outcome is decided in the six months after the project plan says complete
- Security hardening, adoption and governance are the work that nobody scopes or quotes for
The Security Gaps Your MSP Probably Left Open
Microsoft 365 ships with sensible defaults for Microsoft. Not for you.
Out of the box, a tenant is configured to be easy to set up, easy to share with, and easy to log into. Those three qualities are exactly what an attacker wants. If your migration project did not include a deliberate security hardening phase as part of a wider cybersecurity posture, here is what is most likely sitting in your tenant right now.
Multi-factor authentication is on for the administrators and nobody else. The most valuable accounts in your business, the ones with access to all your contracts, all your client data, all your finance information, can still be logged into with a password alone. A single phishing email is the only thing standing between an attacker and the keys to the building.
Legacy authentication is still enabled. This is a polite way of saying that old protocols designed before anyone took email security seriously, things like Basic Auth, IMAP and POP, are still accepted by your tenant. These protocols cannot enforce multi-factor authentication. Attackers know this, and they automate the search for tenants that still allow it.
External sharing is set to anyone with the link. Every time someone in your team shares a file from SharePoint or OneDrive, the default option offers up a link that anyone on the internet can use, with no login required. Files leak this way constantly, often without anyone realising.
Conditional access does not exist. There are no rules saying that a login from an unfamiliar country should be challenged, that an unmanaged device should be blocked, that a risky sign-in should require additional checks. Your tenant treats a login attempt from a foreign IP address at three in the morning the same way it treats your finance director logging in from her desk.
Audit logging is unconfigured or set to the minimum retention. If something does go wrong, you may not be able to investigate it, because the evidence has already been deleted.
Global administrator accounts are being used as daily working accounts. The most powerful accounts in your tenant, the ones that can disable security controls and walk off with everything, are being used to send emails and edit spreadsheets. If one of them is compromised, the attacker inherits the lot.
None of these are exotic. None of these require advanced licensing in most cases. They are the basic, unglamorous controls that should be in place before your migration is signed off, and they very often are not.
- MFA limited to admins is the single most common gap, and the easiest one for a phishing campaign to walk through
- Legacy authentication, default external sharing and missing conditional access are all on by default and still on in most tenants we audit
- Audit logging and admin account hygiene are the controls you only realise you needed after an incident, when it is too late
The Operational Chaos of Months One to Six
Security is the part that should keep you up at night. The part that will make your team miserable is different, and it starts to bite about two weeks after go-live.
The shadow IT explosion. Your team needs to share a large file with an external supplier. SharePoint is locked down, or it is not, but nobody has shown them how to use it. So they reach for what they used before. Dropbox. WeTransfer. A personal Gmail account. Within a month, business data is leaving your tenant through every door except the one you paid Microsoft for.
The permissions drift. Files get re-shared. Folders get duplicated because someone could not find the original. Groups multiply. Six months in, nobody can tell you with confidence who has access to what, and the people who do have access often should not.
The licence creep. Someone needs Power BI. Someone needs a feature only available in E3. Without governance, individual upgrades happen quietly, the bill grows, and nobody is checking whether the licences being paid for are actually being used.
The training gap. Microsoft 365 is enormous. SharePoint, OneDrive, Teams, Planner, Lists, OneNote, Power Automate. If nobody has shown your team how these fit together, they will use Outlook and ignore the rest. Without proper user training, you will be paying for a Ferrari and driving it like a moped.
The legacy hangover. The old file server is still on. The old mailbox archive is still on. The previous tenant is still on. Something never quite migrated cleanly, and rather than fixing it, it has been left running. Every one of these is a security risk and a recurring cost.
The construction company that called me had every single one of these. None of them were on the project plan that had been signed off as complete.
- Shadow IT, permissions drift and licence creep all start within weeks of cutover and compound silently
- If your team does not understand SharePoint, OneDrive and Teams, they will fall back to Outlook and the tools they already trust
- The legacy systems left running after migration are usually still costing you money and creating risk a year later
Why This Keeps Happening
I want to be honest about my own industry here, because the reader deserves it.
Most Microsoft 365 migrations are sold as fixed-price projects with a defined end date. The MSP scopes a piece of work, prices it, delivers it, and moves on to the next one. The technical cutover is what gets quoted. Security hardening, user training, governance, and adoption support are usually scoped out, or sold as a phase two that somehow never happens.
This is not always done in bad faith. It is just how the work has been packaged in this industry for a decade. Migrations are easy to quote. Outcomes are not. Selling the easy thing wins more deals than selling the right thing.
The result is that the incentive of the company doing your migration ends the day the cutover finishes. Your incentive begins the day after. That gap is where the problems live.
If you are a business owner, this is the bit to sit with. The migration was framed as an IT project. It is not. It is an operational change to how your entire business works, and the company you hired to do it has, in most cases, contractually finished their job before the operational impact has even started.
That is a leadership problem, not an IT problem.
- Migrations are sold as fixed-price projects because they are easy to quote, outcomes are not
- The vendor's incentive ends at cutover, yours begins the day after, and that gap is where the problems live
- This is an operational change to how your business runs, not an IT project, and it deserves leadership attention
What Good Actually Looks Like in the First Six Months
If your migration is done and the rest of this article is making you uncomfortable, here is what a sensible recovery looks like. If your migration has not happened yet, this is what you should be insisting on as part of the work.
In the first week after cutover, every account in your tenant should have multi-factor authentication enforced, not just the administrators. Legacy authentication should be disabled tenant-wide. The default sharing setting should be changed from anyone with the link to something appropriate for your business, usually specific people only. Global administrator accounts should be separated from daily working accounts.
Within the first month, an external sharing audit should be run. Who outside your business has access to what? You will be surprised. A baseline conditional access policy should be in place. Audit logging should be configured with sensible retention. Someone should be responsible for reviewing admin role assignments and removing anything unnecessary.
By month three, your licences should be reviewed against actual usage. People with E3 who only use Outlook should be moved down. People stuck on Business Basic who need more should be moved up. Adoption should be measured, not assumed. The audit log should be reviewed for anything unusual.
By month six, you should have a written governance position. What are the rules for sharing? Who owns what? How long is data retained? What happens when someone leaves? You should have run, or at least scheduled, a tabletop exercise. If a senior account is compromised tomorrow, what happens, who decides what, and how quickly?
None of this is exotic. All of it is achievable. Almost none of it is in the average migration scope. It is the kind of work that belongs inside an ongoing managed IT relationship, not a fixed-price project that ended last quarter.
- Week one: enforce MFA on every account, kill legacy auth, change default sharing, separate admin from daily accounts
- Month one: external sharing audit, baseline conditional access, audit logging configured, admin roles reviewed
- Month three: licences reviewed against actual usage, adoption measured rather than assumed
- Month six: written governance, a tabletop exercise scheduled, clear answers to "what happens when X is compromised"
The Questions to Ask Before You Sign the Next Migration Contract
If you are about to engage an MSP for a Microsoft 365 migration, or you are evaluating whether the one who did yours is the right partner for what comes next, here are the questions that will tell you very quickly what kind of relationship you are buying.
Does the scope include security hardening, or just the technical cutover? If hardening is a separate quote, ask why.
What is your default position on multi-factor authentication and legacy authentication? If the answer is anything other than MFA on for everyone, legacy auth off, you have your answer.
Will my team be trained on SharePoint and OneDrive, or just told that they exist? Adoption is a deliverable, not an afterthought.
What does the first ninety days after cutover look like in your delivery model? If the answer is raise a ticket if you need anything, that is a reactive ticket-shop. You need a partner.
Who in your team is responsible for the security posture of my tenant in six months' time? If nobody can name a person, nobody is.
These five questions will separate the migration vendor from the operational partner faster than any sales meeting. If you would value an independent view before you sign, that is exactly the kind of conversation our IT consulting work is built around.
- Security hardening should be inside the migration scope, not a phase two that never lands
- MFA on for everyone and legacy auth off should be the default position, not a debate
- If the post-cutover plan is "raise a ticket", you have hired a vendor, not a partner
Closing
The construction company that called me did not have a Microsoft 365 problem. They had a relationship problem. The company who did their migration treated the cutover as the end of the engagement. The construction firm assumed it was the start.
Both can be true at the same time, and they often are. That is the gap into which most London SMBs quietly fall.
A Microsoft 365 migration is not a project that finishes. It is the start of how your business will run for the next decade. Whoever you trust with the cutover, make sure they are still there in month six, in month twelve, in year three. That is what a real cloud partner looks like.
If they are not, you are the one holding the risk. Not them.
If you are reading this and recognise your own business in any of it, that is worth a conversation. Not a sales call. A conversation about what is actually in your tenant, what is not, and what good would look like from here.
At Blue Icon IT, we help London businesses turn finished Microsoft 365 migrations into properly secured, properly adopted environments, and we stay with them through the months and years that follow. If your tenant has been quietly running without a real owner, get in touch.
