Skip to content

Microsoft 365

Scope

This document covers Microsoft 365 tenant architecture, including Exchange Online (mailbox migration, hybrid configuration, mail flow), SharePoint Online, Microsoft Teams, OneDrive for Business, Entra ID (formerly Azure AD) integration, conditional access policies, licensing tiers (E3/E5, add-ons, F-series frontline), compliance features (eDiscovery, DLP, retention policies, sensitivity labels), and migration from on-premises Exchange, SharePoint, and file servers to the M365 cloud platform.

Checklist

  • [Critical] Is the M365 tenant configured with a verified custom domain, appropriate Entra ID synchronization (Entra Connect or Entra Cloud Sync), and hybrid identity or cloud-only identity strategy documented?
  • [Critical] Are conditional access policies configured to enforce MFA, block legacy authentication protocols, restrict access by location/device compliance, and apply session controls for sensitive applications?
  • [Critical] Is the Exchange Online mail flow designed with correct MX records, SPF/DKIM/DMARC configured for all sending domains, and connector configuration for hybrid or third-party mail routing?
  • [Critical] Is the licensing model selected (E3 vs E5, add-on packs for compliance/security, F-series for frontline workers) with a clear understanding of feature differences, particularly around security and compliance?
  • [Critical] Is the migration strategy for Exchange mailboxes defined (cutover, staged, hybrid, IMAP, or third-party tool) with batch scheduling, user communication plan, and rollback procedures?
  • [Recommended] Are data loss prevention (DLP) policies configured to detect and prevent sharing of sensitive information (PII, financial data, health records) across Exchange, SharePoint, Teams, and OneDrive?
  • [Recommended] Are retention policies and labels configured for email, SharePoint documents, and Teams messages to meet regulatory and business retention requirements?
  • [Recommended] Is SharePoint Online site architecture planned with appropriate hub sites, site collections, permissions model (M365 Groups vs SharePoint groups), and storage quota allocation?
  • [Recommended] Is Microsoft Teams governance defined including team creation policies, naming conventions, guest access controls, data lifecycle (expiration policies), and channel structure standards?
  • [Recommended] Is OneDrive for Business configured with Known Folder Move (KFM) for desktop/documents/pictures redirection, sharing policies, and storage limits per user?
  • [Optional] Is Microsoft Purview (formerly Compliance Center) configured for eDiscovery, audit logging, insider risk management, and communication compliance if required by regulatory obligations?
  • [Optional] Are Microsoft 365 Copilot readiness requirements evaluated, including E3/E5 licensing prerequisites, data governance posture, and sensitivity labeling coverage?
  • [Recommended] Is Microsoft 365 Copilot evaluated — AI assistant across Word, Excel, PowerPoint, Outlook, and Teams that generates content, summarizes documents, and automates workflows using organizational data from Microsoft Graph?
  • [Recommended] Is Copilot licensing understood — Copilot requires Microsoft 365 E3/E5 base license plus Copilot add-on ($30/user/month), and data must be properly secured (Copilot respects existing permissions but surfaces content users have access to)?
  • [Recommended] Is a tenant-to-tenant migration scenario documented if the organization has multiple M365 tenants requiring consolidation?

Why This Matters

Microsoft 365 is the dominant cloud productivity platform in enterprise environments, and its configuration directly impacts security posture, compliance readiness, and user productivity. A poorly configured tenant -- missing conditional access, disabled audit logging, overly permissive sharing defaults -- creates significant security and compliance risk. The gap between E3 and E5 licensing is substantial: E5 includes Microsoft Defender for Office 365 Plan 2, Entra ID P2 (risk-based conditional access, PIM), advanced compliance (auto-labeling, insider risk), and phone system capabilities. Organizations often under-license and miss critical security features.

Migration from on-premises Exchange and SharePoint to M365 is a common but complex undertaking that requires careful planning of identity synchronization, mail flow cutover, DNS changes, and end-user communication. Hybrid configurations (Exchange hybrid, Entra Connect) introduce ongoing operational complexity that must be managed or eventually decommissioned. The M365 ecosystem is rapidly expanding with Copilot AI features that depend on proper data governance and sensitivity labeling foundations.

Common Decisions (ADR Triggers)

  • E3 vs E5 licensing -- cost optimization vs security/compliance feature coverage, particularly Defender for Office 365 P2 and Entra ID P2
  • Cloud-only vs hybrid identity -- Entra Cloud Sync vs Entra Connect, password hash sync vs pass-through auth vs federation
  • Exchange hybrid vs cutover migration -- coexistence period requirements, mailbox count thresholds, calendar free/busy sharing needs
  • SharePoint architecture -- hub sites vs flat structure, modern vs classic sites, storage allocation strategy
  • Teams governance -- open team creation vs IT-controlled provisioning, guest access policy, retention and expiration
  • DLP and retention scope -- which regulations apply (HIPAA, GDPR, SOX, PCI), which workloads require policy coverage
  • Third-party security vs Microsoft native -- Defender for Office 365 vs Proofpoint/Mimecast, Entra ID P2 vs Okta/Duo
  • Copilot readiness -- sensitivity labeling coverage, oversharing remediation, data governance maturity assessment

AI and GenAI Capabilities

Microsoft 365 Copilot — GenAI assistant embedded across the M365 suite. Uses GPT-4 grounded in organizational data via Microsoft Graph. Capabilities: draft documents in Word, generate formulas and analyze data in Excel, create presentations in PowerPoint, summarize and draft emails in Outlook, summarize meetings and generate action items in Teams. Copilot respects existing M365 permissions — it can only access content the user already has access to, making permission hygiene critical before deployment.

Copilot for Security — AI assistant for security operations across Microsoft Defender, Sentinel, Entra ID, and Intune. Natural language security investigation, incident summarization, threat hunting queries, and guided remediation. Requires Security Copilot license (consumption-based SCU pricing).

Licensing: Copilot for Microsoft 365 requires E3/E5 base + $30/user/month add-on. Copilot for Security is consumption-based (Security Compute Units). Both require Entra ID authentication and Microsoft Graph data access.

See Also

  • providers/microsoft/exchange-onprem.md -- on-premises Exchange Server architecture and migration
  • providers/microsoft/active-directory.md -- Active Directory and Entra ID identity architecture
  • providers/azure/identity.md -- Azure identity and access management