---
title: "How do we clean up a Microsoft 365 tenant that has grown organically over the years?"
description: "Clean up licenses, SharePoint sites and admin roles in a structured way — without disrupting operations. How to tidy up your Microsoft 365 tenant."
canonical: "https://demo22.berndt.to/en/use-cases/m365-tenant-cleanup/"
lang: en
schema_type: Article
---
# How do we clean up a Microsoft 365 tenant that has grown organically over the years?

Clean up licenses, SharePoint sites and admin roles in a structured way — without disrupting operations. How to tidy up your Microsoft 365 tenant.

## The short version

- **What:** A structured cleanup of a sprawling Microsoft 365 tenant: licenses, SharePoint sites, permissions and admin roles.
- **Who it's for:** Mid-sized companies whose tenant has grown along with the business for years — to the point where nobody has a clear overview anymore.
- **Timeline:** Typically 4–8 weeks for moderate sprawl, executed in controlled waves while daily operations continue.
- **Outcome:** A verifiable license and admin inventory, a clean SharePoint structure, and a quarterly rhythm that keeps new sprawl from forming.

A good fit if:

- Your license renewal is due within the next few months.
- Your insurer or auditor is asking about MFA status and admin roles.
- Copilot is on the roadmap, but the data foundation hasn't been cleaned up yet.

Your Microsoft 365 tenant has grown organically over three, four, five years — and nobody in the company can honestly say anymore who needs which license, which SharePoint sites are still in use, or why there are 14 distribution lists with near-identical names. This page describes what a structured cleanup looks like — without bringing operations to a halt or locking people out by accident.

## Does this sound familiar?

- Licenses were touched over the years whenever someone joined or left — but never reviewed systematically. Today there's an E5 license for people who only use email and Teams, and Business Basic for someone who actually needs Power BI.
- SharePoint sites have sprawled: one per project, several per department, some created by employees who left long ago. Nobody dares delete one, because no one knows whether it's still needed.
- Permissions are a tangle of direct assignments, groups, inherited rights and "Everyone in the company" sharing links that someone once fired off in a hurry.
- There are four global admins — two of them are former employees, one is the previous service provider, and the fourth is a service account whose password hasn't been changed since 2022.
- When someone asks "Who actually has access to the management folder?", you don't get an answer — you get a ten-minute click tour through SharePoint permissions that ends with "only the right people, I think."

## Why now — and not later

- **License renewal is coming up.** Your Microsoft contract renews within the next 3–9 months. Without a clear inventory, you keep paying for licenses nobody uses — and may even buy more on top.
- **A wave of new staff is on the way.** New trainees, a new location, a department doubling in size — the current onboarding workaround won't survive that.
- **Your cyber insurer or auditor has started asking questions.** MFA status, admin roles, Conditional Access, data classification — and you've realized the honest answer right now would be "We don't know exactly." That's something to clean up before someone else does it for you.

## What this would look like at your company

### Step 1 — An honest, complete assessment (weeks 1–2)

We go through your tenant with read-only access and pull the hard data: which licenses are assigned, which are actually used (sign-in logs, app usage), who has admin rights, how many SharePoint sites exist, which of them have seen activity in the last 90 days, what the MFA status is, and which Conditional Access policies are actually enforced. The result is a compact document — what's in good shape, what's off, what's urgent, what can wait. Written so management can read it too.

Stack: Microsoft Graph, Entra ID sign-in logs, SharePoint Admin Center, Microsoft 365 Admin Center, Defender for Cloud Apps (where available).

### Step 2 — Define the target state (weeks 2–3)

Together with you, we define what good looks like: which license profiles fit which roles in your organization? Who genuinely needs E5, and who is fine with Business Premium? What would the SharePoint structure look like if it were designed from scratch? Who gets to be an admin going forward, and under what conditions? This won't be a mountain of PowerPoint — it will be a short architecture sketch you can understand and sign off on.

Stack: Confluence/Notion/SharePoint for the documentation, depending on where your documentation lives.

### Step 3 — Cleanup in controlled waves (weeks 3–8)

We don't change everything at once. The order is deliberate: admin roles and MFA first — the biggest security risk and, at the same time, the change end users notice least. Then license reallocation in small groups, always tested beforehand. Then the SharePoint cleanup, with clear advance notice to site owners about what happens to each site: archived, deleted or restructured. Every wave has a rollback path in case something goes wrong.

Stack: PIM (Privileged Identity Management), Entra ID Access Reviews, SharePoint Admin Center, Microsoft Defender for Office 365, Intune (where devices are affected).

### Step 4 — Handover and a quarterly rhythm (week 8+)

At the end, you get documentation that would let someone else understand your configuration — deliberately built that way. Plus a quarterly rhythm of license checks, admin reviews and SharePoint activity reports, so the next "it just grew over the years" never gets a chance to form.

## What to look out for

- **Ask to see the rollback plan before anyone touches anything in the tenant.** Anyone who stalls at the question "What happens if this Conditional Access policy locks out 200 people?" doesn't have a plan yet. A good plan includes a test group, reporting on risky sign-ins and an emergency admin account.
- **Ask about the communication strategy for end users.** If SharePoint sites get archived or licenses change, the people affected need to know in advance — otherwise the tickets land on your desk, not the provider's.
- **Keep the Global Admin role in-house.** At least one person in your company must be able to deactivate any external service provider in the tenant. If a provider wants it any other way — that's a red flag.
- **Be wary of "we'll just migrate it over the weekend" offers.** Tenant cleanup is detail work. Anyone selling it as a weekend job either has a very small setup in mind or a very large dose of optimism.

## What realistically changes afterwards

- You have a list showing, for every active license, who has it, why, and when that was last reviewed. The same goes for admin roles.
- New employees get a clean onboarding path — license profile, groups, standard apps. Half an hour instead of three days of setup work per person.
- The question "Does everyone have MFA?" takes ten seconds to answer. So does "Who has access to management data?"
- SharePoint has a comprehensible structure in which the main user groups can find what they're looking for again. Whether something goes by email or through Teams now follows a rule instead of habit.
- At the next license renewal, you negotiate based on usage data — not on "that's what we had last year."

## What you contribute

- **Access:** a Global Admin in your tenant who grants us read access — and later, targeted configuration rights. We don't work with our own permanent admin accounts.
- **Stakeholder time:** one person from your IT (or with IT responsibility) who is reachable — an estimated 2–4 hours per week during the active phases. Plus management for two or three short decision points.
- **Knowledge of the quirks:** how each department works, who is sensitive to tool changes, whether there are special licenses for external providers, whether there's shadow IT somewhere that only a few people know about.
- **A willingness to co-document.** We deliver the structured documentation — but the answer to "Why does marketing actually have its own SharePoint site?" has to come from your side.

## Risks & when it does NOT fit

- **If a migration is running in parallel** — off an old Exchange server, from Google Workspace or from another tenant — cleanup only makes sense once the migration is complete. Before that, you're aiming at a moving target.
- **If there's no internal consensus that this is a problem.** Tenant cleanup isn't a gift to end users; it's a change. If management doesn't back it and treats it as a purely IT task, it fails on communication, not on technology.
- **If you're in the middle of an acute security incident.** Then it's incident response first, then forensics, then hardening, then cleanup — in that order, not all at once.
- **If the expectation is to roll out Copilot company-wide in four weeks without cleaning up the data first.** Clean up first, then Copilot — otherwise Copilot sees data it shouldn't.

## How the conversation starts

A 30-minute initial conversation, free of charge, by video or phone. What we cover: rough headcount, the license packages in use, who currently administers the tenant, and what triggered this now (renewal, new hiring wave, audit, insurer). From there it becomes clear whether a cleanup project is the right move — or whether something else needs to come first.

Remote response is immediate during service hours. An initial conversation can typically be arranged within 3–5 working days; we confirm the next available slot as soon as you get in touch.

[Book an initial conversation](/en/contact)

## Frequently asked questions

**How long does it typically take?**
Picture a company with 80 employees and moderate sprawl — it's usually in noticeably better shape within 4–8 weeks. An organization with multiple locations and more deeply entangled permissions takes correspondingly longer. In the initial conversation we give you an honest range, not wishful thinking.

**Do we have to interrupt our work?**
No. The whole point of the step-by-step approach is that daily operations keep running. In the best case, end users only notice that sign-in now requires MFA and that an old SharePoint site gets archived — with advance notice.

**What happens to the data in sites we delete?**
Nothing is deleted without explicit approval. Sites that look dead are archived first (readable, but no longer writable), the site owners are informed, and only after a grace period is the final decision made. A backup belongs in place before any of this anyway — we check that as part of the project.

**Can't we do this ourselves?**
If you have someone in-house who knows Microsoft Graph, Entra ID concepts, SharePoint permission inheritance and license mapping inside out — yes, absolutely. If that person is needed full-time for other things, an external sprint that gets it done in weeks instead of months pays off.

## Related

- Service: [Managed Microsoft 365 — when your workplace should finally help](/en/services/managed-m365)
- Use Case: [How do we make internal company knowledge searchable via Teams?](/en/use-cases/internal-knowledge-search)
- Knowledge (German): [What does Managed Microsoft 365 for 50 employees cost?](/de/wissen/was-kostet-managed-microsoft-365-50-mitarbeiter)

