Disciplines · 06 · Workplace

Not what you turn on. What you don't.

Most M365 conversations start with what the suite unlocks. Ours start with what the business decides to shut. Consolidation is half the value of this ecosystem — arguably the easier half. The other half is the ability to decide what tools are available to users, and more importantly, which ones aren't. Most of the Workplace engagements we're called into exist because that second half never got done.

The frame

Two halves. One usually skipped.

Clichés are clichés for a reason — they're rooted in truth, then spun around so many times by marketing that what's actually valuable about the product gets clouded. M365 really does consolidate almost everything a business needs: email, meetings, files, shared workspaces, identity, endpoint, and the hooks into voice, analytics, and AI. Outside of niche cases, the suite covers the field. That's not a sales pitch. That's just what it is.

The half that gets lost isn't the pitch — it's the part the pitch leaves out. M365 lets a business decide, centrally, what tools users can reach for, and what tools they can't. That second half is where Workplace governance actually lives. It's also the half most SMBs never get to.

Consolidation is the easy half. Exclusion is the one that actually shapes the business.

Where most SMBs lose

Sprawl is the visible mess. Orphans are the real one.

The most common tenant we walk into has been running for years, with Teams and SharePoint sites created by anyone who wanted one, and no policy in place to stop it. Teams and SharePoint are the worst surfaces. The sprawl itself is tactical work — disable dormant sites, archive unused Teams, merge duplicates. The business can do that. We can help.

The nightmare begins when you point at a site and ask the business what it's for, and nobody can tell you. Where there's one orphan — a site or Team with no owner, no stated purpose, no recent activity — there are always more. Usually many more. They form a backlog the business itself can't describe, which is the definition of a governance failure.

Cleanup isn't the project. Accounting for what exists, and deciding what should, is.

On the words we use We avoid the phrase "best practice." Industry standard, popular standard — those are honest words. "Best practice" implies there's one right answer, and on Workplace questions there rarely is. There's what's best for this business. That's why the dialogue with the business matters more than the checklist we show up with.
The signature visual

Every engagement starts with this picture.

Before we recommend anything, we catalogue. Every Team, every SharePoint site, every collaboration surface the business owns — plotted against two axes. Activity on one (is anyone actually using it?) and ownership on the other (can someone tell us what it's for?). Four quadrants come out, and each one has a different treatment.

The Workplace Catalogue — a two-by-two of Activity by Ownership A two-by-two grid placing Teams and sites into four quadrants: Active and Owned gets kept and maintained, Active and Orphaned is highlighted in accent orange and flagged as the priority box, Dormant and Owned is recertified or archived by policy, and Dormant and Orphaned is archived by default and usually the largest quadrant. ACTIVE DORMANT ORPHANED OWNED ACTIVE · ORPHANED Find the owner. Now. In use, but no one is accountable. ACTIVE · OWNED Keep. Maintain governance. The quadrant you're building toward. DORMANT · ORPHANED Archive by default. Usually the biggest quadrant. DORMANT · OWNED Recertify or archive by policy. Owner says keep, or lifecycle retires it.
The shape of the picture is different for every tenant. The method isn't: catalogue first, then decide.
Where clients start

Three shapes of engagement.

Most of the calls we get are one of three shapes. The starting points are different; the underlying discipline isn't. Catalogue honestly, let the business decide what stays, and put rules in place so the sprawl doesn't reform.

Shape 01 — the common one

Sprawl cleanup.

A client with an almost limitless list of Teams built up over years. No policy had ever prevented anyone from spinning one up. The cleanup itself — disable, archive, merge — was work the client's own team could do. Our job was the layer above: figure out why this was possible in the first place, lay out the policy options that could shape the tenant going forward, and run a workshop with their IT team on everything that was available. The realization wasn't the Teams count. It was how many of those levers the business hadn't known they had.

Shape 02 — the favorite

Greenfield tenant stand-up.

A new tenant, no legacy decisions to argue with, no orphans to reconcile. We apply the playbook and the tenant comes up shaped. This is the engagement we like best, because the hardest question — "why is it like this?" — simply doesn't come up. What you turn on, what you shut off, and what gets an approval workflow are all decided on the way in, not retrofitted in year three.

Shape 03 — the complex one

Mergers and divestitures.

Mergers are the easier of the two. You're consolidating onto one set of policies, double-checking that what the acquired tenant did still fits, and picking the version of each decision that carries forward. Divestitures are where it gets hard. Asset ownership is contested — who owns a given Team, site, or file depends on who you ask — and the two companies often ran under different policies, which makes compliance a moving target until the split is clean.

The greenfield playbook

What we apply on day one of a new tenant.

The set of decisions most SMBs benefit from having already made by the time users log in for the first time. It isn't universal — we don't call any of it best practice — but it's the industry standard we reach for unless the business tells us otherwise.

Day-one foundations

What we configure before users sign in

  1. 01

    Identity posture

    MFA on, SSPR configured, and either Conditional Access (if Entra ID P1 or higher is in the licensing) or security baselines (if not). Identity is the first thing a user touches and the last line if everything else fails.

  2. 02

    Domain validation & mail flow

    Domains proved out, MX and autodiscover pointed correctly, SPF / DKIM / DMARC published and aligned. Nothing else works until mail flow is right, so we do it first, not last.

  3. 03

    Exchange Online Protection

    Anti-phish, anti-spam, anti-malware policies tuned out of default. Safe Links and Safe Attachments where licensed. External sender tagging on. EOP is the biggest win nobody remembers they already paid for.

  4. 04

    SharePoint & OneDrive sharing

    External sharing defaults decided intentionally, not left at whatever Microsoft shipped this quarter. Anonymous link posture, guest access, domain allow-lists, device controls on download. This is where most accidental data exposure actually happens.

  5. 05

    Teams & site provisioning

    Who can create a Team or a site, what naming convention is enforced, what owner and purpose fields are required, what lifecycle applies. The rules that keep sprawl from forming in the first place — decided once, at the start, and codified in policy.

What you walk out with

A shaped workspace, not just a licensed one.

Whichever shape the engagement takes — sprawl cleanup, greenfield stand-up, or M&A — the deliverables envelope is similar. The emphasis shifts, but the list doesn't.

  • Current-state inventoryTeams, sites, owners, last-activity, external sharing exposure — the picture the business didn't have before we started
  • Options documentEvery policy lever available, what each one does, who it affects, and what trade-off comes with turning it on or leaving it off
  • Recommended policy setThe configuration we'd apply in most tenants — framed as a recommendation for this business, not a universal rule, with reasoning beside each choice
  • Workshop for the IT teamA walkthrough of the full landscape of policies available. Most IT teams come out of this with three or four levers they didn't know existed
  • Applied tenant configurationRetention, lifecycle, sharing defaults, creation restrictions — configured in-tenant, not just documented in a deck
  • Provisioning playbookHow new Teams and sites get created going forward — who approves, what's required, what happens when they're dormant. The rule that keeps sprawl from reforming
"Just turning things on doesn't usually end up well. The whole value of the M365 suite is that a business gets to decide what's on — and, more importantly, what isn't." The stance on Workplace

Connected to

01 · Identity

Identity & zero trust

MFA, SSPR, and Conditional Access are the foundation every Workplace engagement is built on.

 07 · Devices

Devices & endpoint

The workplace shows up on an endpoint. Intune makes that endpoint safe.

 09 · AI

AI in the enterprise

Copilot lives inside M365. A shaped workspace is what makes it useful rather than noisy.

 11 · Governance

Data governance & compliance

Purview and sensitivity labels live on top of Workplace. Governance is the layer inside the tools.

Book a call

Teams sprawl? SharePoint graveyard? New tenant?

Whether the workplace is already running and the mess has crept up on you, or you're standing up a new tenant and want it shaped from day one — the first conversation is the same one. What's in the tenant now, what should be, and what the business is willing to decide.

Book a discovery call

Or reach us directly: info@fouronesixit.ca · (647) 371-0400