
Many organisations invest heavily in Microsoft 365 projects but rarely review the environment once implementation is complete. The assumption is often that because Microsoft manages the underlying platform, there is little need for ongoing assessment and review. In reality, Microsoft 365 is one of the fastest evolving enterprise platforms in use today and environments can quickly drift away from security, governance and operational best practices.
Rewinding back to when services such as Exchange were hosted on-premises, updates and iterative software releases were determined largely by the organisation, their policies, budgets, and ‘end of life’ dates, and the need for regular ‘health checks’ was well recognised. These environments were predominantly hosted on company owned infrastructure that they were also responsible for the management of – storage, hypervisors, servers, load balancers, network infrastructure, and more.
Fast forward to today where these services run on a SaaS platform within the Microsoft 365 ecosystem, the need for regular configuration assessments and reassurances has for many been something they don’t really think too much about.
What is typically identified?
During tenant assessments, it is uncommon to find an environment that requires no improvement or opportunity for optimisation. Regardless of size or maturity, most organisations have opportunities to improve security, governance, licensing optimisation or operational efficiency.
In my experience, it’s common to find –
- Hundreds of Intune policies, scripts, and apps, many of which conflict, are duplicates or are simply unnecessary or complex.
- Conditional Access exclusions that jeopardise the security posture.
- Unused licences, or vastly underutilised licensed capabilities.
- Legacy configuration such as Hybrid joined devices, or Exchange workarounds.
- No governance and compliance configuration or defined strategy.
- No tenant backups or consideration to data retention.
- No defined Workplace roadmap or strategy leading the business and addressing business and technical objectives.
Some good reasons to regularly review and assess tenant services are –
- Microsoft 365 evolves at a rapid pace, with new features and capabilities being introduced regularly. As these changes are not controlled by individual organisations, it is easy to miss opportunities to improve security, governance, productivity or user experience.
- With well documented roadmaps of features in development, preview and general availability, it enables an opportunity to implement a Workplace roadmap over the coming months and years to keep pace with the latest enhancements, in a controlled manner.
- Configuration sprawl can easily get out of hand if not regularly addressed. Something commonly seen is mass configuration within Intune that administrators are not confident in amending due to complicated assignments and underlying configuration. Completing regular assessments highlights these and can help to understand where alternative configuration may be better suited, or current configuration retired.
- Security configuration drift from best practice is another area that can significantly impact the security posture of the environment. For example, a Conditional Access policy that is assigned to specific groups leaves the door open for users unintentionally being excluded from the policy and being at risk.
- Ensuring alignment to relevant configuration best practices like those within NCSC and CIS benchmarks is important. These recommendations and best practices are well recognised and are maintained to keep pace with evolving threats and feature availability.
- As a service provider, it’s important to demonstrate to customers that you are keeping them up to date with the latest feature availability, best practices, encouraging evolution, and ensuring that you are highlighting gaps and areas of improvement. Even if customers don’t ultimately proceed with the recommendations being made, if there’s documented proof that the advice was given, it supports good overall service management.
The above are just some of the reasons for why it’s a good idea to continue to perform regular assessments for a healthy environment both from a current and future perspective.
Why 2026 is a good example
This year (2026) in particular is a particularly good example of ensuring that regular assessments are completed that include advisory services and recommendations. In July 2026, there are significant changes to the M365 license SKUs that will mean new capabilities are included where they previously required additional licenses –

Reference – https://www.microsoft.com/en-us/licensing/news/2026-m365-packaging-pricing-updates
For M365 E5 licenses, they will now include features such as Microsoft Cloud PKI, Enterprise Application Management, and Intune Remote Help to name a few. These can add significant value to the organisation, or demonstrate better return on investment.
What an assessment includes?
A comprehensive Microsoft 365 assessment may include –
- A summary enabling multiple different stakeholders to review (technical and non technical audiences) from a high level without needing to read the whole document.
- A review of the alignment to a security benchmark such as CIS or NCSC.
- Licensing –
- Under/over subscription
- ROI
- Optimisation
- A consultative review of M365 solutions and services –
- Entra
- Intune
- Exchange
- SharePoint/OneDrive
- Teams
- Copilot
- Purview
- Defender
- Viva
- Areas for potential improvement, further adoption or general optimisation.
- Next steps recommendations and readiness for future adoption of solutions, for example, Copilot readiness.
- Identifications of the sorts of costs and effort to implement the recommendations.
The value is not just in identifying problems, but in defining what to do next.
Final thought
Microsoft 365 should not be viewed as a platform that is implemented and then left untouched. New features, evolving threats, changing business requirements and licensing changes all contribute to the need for ongoing review. Regular assessments help organisations reduce risk, maximise value from existing investments and create a roadmap for future and continuous improvement.