Microsoft 365 Migration
and Security Modernization for an Agri-Food Production Company
Digicode replaced a password-only, Remote Desktop-dependent IT environment for an agri-food production company with 120 users across two locations in Europe. By deploying multi-factor authentication, Conditional Access policies, Microsoft Intune endpoint management, and a SharePoint Online migration, the organization moved from a reactive, patchwork infrastructure to a centrally governed Microsoft 365 workplace – 100% MFA adoption, 61 devices enrolled, 77 personal devices secured, and a legacy Remote Desktop environment retired for good.
Overview
Most IT environments don’t fail dramatically. They accumulate risk quietly – a shared login here, an untracked device there, a file server that drops connections on a busy morning.
By the time anyone pays serious attention, the gaps are already everywhere.
For an agri-food production company operating across two sites in Slovakia with 120 Microsoft 365 users, the situation was exactly that.
The business ran on a hybrid environment combining on-premises Active Directory with Microsoft 365 – functional in an earlier phase of growth, but well behind where its security posture needed to be.
User identities were protected by passwords alone. Corporate devices had no central inventory. File access ran through a Remote Desktop environment that broke regularly. And when employees were asked to accept full device management on their personal phones, they refused, which left a category of devices with access to corporate data sitting entirely outside any security policy.
Digicode designed and delivered a Microsoft 365 migration and IT infrastructure modernization program that addressed identity, endpoint, mobile, and collaboration in one coordinated initiative.
The result: 100% MFA adoption, 61 corporate devices under Intune management, 77 personal devices secured through Mobile Application Management, roughly 500GB migrated to SharePoint Online, and a Remote Desktop environment that no longer exists.
About the Client
The client is an agri-food production company headquartered in Bratislava, Slovakia, with production facilities in Horny Saliby. Approximately 120 Microsoft 365 users work across administration, production, quality assurance, logistics, purchasing, and commercial departments at two locations.
Operations spanning two sites meant every IT decision had cross-location implications.
The business had built its infrastructure incrementally – a hybrid of on-premises Active Directory and Microsoft 365 that worked in an earlier phase but no longer matched the security or operational requirements of a company with an expanding workforce and a growing remote work footprint. Two sites, multiple departments, one environment with no centralized device management, no identity controls beyond a password, and a file-sharing model that employees had learned to work around rather than rely on.
About Digicode
Digicode is an AI-enabled product development and consulting company, a Microsoft Partner with more than 18 years of experience in IT consulting, workplace modernization, and Microsoft 365 implementations.
Digicode designs, builds, and modernizes IT environments for organizations that need to move from legacy infrastructure to modern, governed, cloud-based platforms without disrupting daily operations. Cloud transformation and tech modernization are areas where the company brings direct experience – taking organizations from hybrid environments that have drifted from best practice back to a security posture that actually reflects the current threat landscape.
For this engagement, Digicode drew on its cloud migration and Microsoft Dynamics and Microsoft platform expertise to deliver a Microsoft 365 modernization program covering identity, endpoint management, mobile security, and SharePoint Online migration as one coordinated initiative, not a set of disconnected IT projects.
The Situation
IT security gaps tend to be interconnected in ways that make each one harder to address in isolation. Fix identity without touching devices and the endpoints are still unmanaged. Manage endpoints without addressing mobile and personal phones stay outside the perimeter. The organization had all of them at once.
-
Identities secured by passwords alone
No multi-factor authentication. No Conditional Access policies. Every user account was one compromised credential away from full network access. In an environment where remote work was expanding and employees were accessing systems from outside the office more often, that was a risk that compounded quietly every week.
-
No visibility into corporate devices
The organization had no complete inventory of its Windows devices and no reliable record of which device belonged to which employee. Device ownership was undocumented, compliance was unmonitored, and security policies couldn’t be consistently enforced across endpoints nobody had formally tracked. During the initial assessment, this turned out to be one of the most significant gaps the engagement had to address and it became the foundation everything else was built on.
-
File access dependent on Remote Desktop
Shared file access ran through a Remote Desktop environment. It worked until it didn’t and it didn’t with enough regularity to become a daily operational friction point. The environment carried hosting and maintenance costs with no corresponding security benefit, gave the business no auditability over who had accessed what, and was a file-sharing model that employees had learned to route around rather than depend on.
-
Personal devices left outside the perimeter
Employees used personal smartphones for work email and messaging. When asked to accept full mobile device management, they pushed back – a reasonable response from anyone being asked to hand IT complete control of a personal device. The outcome was a category of devices with real access to corporate data sitting entirely outside any security policy, with no way to enforce controls or selectively remove data if a device was lost or an employee left.
-
No audit trail on documents
Document access, sharing, and governance had no centralized visibility. The organization couldn’t reliably determine who had accessed a file, when, or whether that access was appropriate – a compliance and governance gap that widened with every passing month.
Multi-Factor Authentication
and Conditional Access policies
Multi-factor authentication was deployed across all 120 users, with Microsoft Authenticator as the required second factor. Conditional Access policies were configured to evaluate every login attempt against user identity, device compliance status, and location before granting network access. Self-Service Password Reset and security group-based access management brought authentication governance in line with current enterprise standards. All users were required to adopt the new controls before access continued.
Endpoint management through Microsoft Intune
Following an upgrade to Microsoft 365 Business Premium, Digicode enrolled 61 corporate Windows devices into Microsoft Intune, creating the organization’s first-ever centralized device inventory. Compliance policies, BitLocker encryption, and Microsoft Defender for Business were deployed across enrolled devices, with endpoint detection and response capabilities active across the managed endpoint estate. A hybrid management approach was maintained where Group Policy Objects were already established.
Mobile Application Management without full device control
The personal device problem was resolved through Mobile Application Management rather than full MDM enrollment. Outlook and Teams were secured on employees’ personal smartphones (corporate data protected and selectively removable) without IT taking over the device itself. Employees accepted it because they weren’t being asked to surrender control of a personal device. That distinction is what made adoption happen rather than stall.
SharePoint Online migration replacing Remote Desktop
Digicode designed and built approximately 20 SharePoint sites with structured document libraries, department-level permissions, and security group-based access control. A dedicated external collaboration site was built for partners and third parties. A communication portal with centralized navigation was added. Then roughly 500GB of business data was migrated from legacy storage, and the Remote Desktop environment was decommissioned.
The Solution
Digicode designed and implemented a Microsoft 365 migration and security modernization program addressing identity, endpoint management, mobile, and collaboration as a single coordinated initiative.
Before and After
How moving to a centrally governed Microsoft 365 workplace changed the operational reality:
|
Area |
Before |
After |
|---|---|---|
|
Identity protection |
Password-only access – no MFA, no Conditional Access policies |
100% MFA deployed, Conditional Access evaluating every login |
|
Device oversight |
No inventory, no compliance monitoring, no documented ownership |
61 devices centrally enrolled and managed in Microsoft Intune |
|
Personal devices |
Unmanaged – full MDM resisted and refused by employees |
77 devices secured via Mobile Application Management |
|
File sharing |
Remote Desktop environment, prone to outages and downtime |
SharePoint Online – ~20 governed sites, department-level permissions |
|
Business data |
~500GB on legacy infrastructure with no audit trail |
Migrated to SharePoint Online – governed, compliant, audit-ready |
|
Infrastructure cost |
Remote Desktop hosting and maintenance costs with no security return |
Legacy environment fully retired |
Area
Identity protection
Before
Password-only access – no MFA, no Conditional Access policies
After
100% MFA deployed, Conditional Access evaluating every login
Area
Device oversight
Before
No inventory, no compliance monitoring, no documented ownership
After
61 devices centrally enrolled and managed in Microsoft Intune
Area
Personal devices
Before
Unmanaged – full MDM resisted and refused by employees
After
77 devices secured via Mobile Application Management
Area
File sharing
Before
Remote Desktop environment, prone to outages and downtime
After
SharePoint Online – ~20 governed sites, department-level permissions
Area
Business data
Before
~500GB on legacy infrastructure with no audit trail
After
Migrated to SharePoint Online – governed, compliant, audit-ready
Area
Infrastructure cost
Before
Remote Desktop hosting and maintenance costs with no security return
After
Legacy environment fully retired
Results
This Is What Secure Looks Like
Every corporate device accounted for
61 corporate Windows devices are enrolled in Microsoft Intune – the first time the organization had a complete, centrally managed device inventory. Compliance monitoring, BitLocker encryption, and Microsoft Defender for Business with endpoint detection and response now cover every enrolled endpoint.
Remote Desktop replaced, data on SharePoint
Roughly 500GB of business data is now in SharePoint Online across approximately 20 governed sites. Around 100 users moved off Remote Desktop. The legacy environment was retired, along with the hosting and maintenance costs it was carrying.
First-ever device inventory established
Before the project, no reliable record existed of which corporate devices were in circulation or who was using them. Device ownership is now documented, compliance is monitored, and IT has full visibility into the endpoint estate for the first time.
Personal devices brought inside the perimeter
77 personal mobile devices are secured through Mobile Application Management. Corporate data on Outlook and Teams is governed and selectively removable without requiring full device enrollment that employees had already declined.
100% MFA adoption
Every one of approximately 120 users now authenticates through multi-factor authentication with Conditional Access evaluation on every login attempt. The password-only exposure is closed.
Infrastructure cost reduced
The retirement of the Remote Desktop environment eliminated a cost category that was adding operational overhead without adding security. Infrastructure complexity decreased with it.
Why It Matters
Security gaps rarely show up in an audit. They show up when something goes wrong – a phished login that grants network access, an unencrypted laptop that walks out the door, a file share that nobody can account for when asked.
The more common pattern is an IT environment that accumulated controls incrementally, each one addressing a specific problem without a view of the full picture. Identity gets addressed. Devices don’t. Collaboration gets modernized. Governance doesn’t follow. The gaps live at the intersections, and the intersections are where organizations actually get exposed.
Treating identity, devices, and data as three parts of one problem (rather than three separate IT projects) is what produced a result that holds. Every device is accounted for. Every login is verified. Every file has an owner and a trail.
That’s the difference between hoping nothing goes wrong and knowing you’d see it if it did.
Why the Project Succeeded
Built to Hold, Not Just to Launch
Microsoft 365 Business Premium used as a security platform
The organization was already paying for Microsoft 365. Like most organizations in that position, a significant portion of what they were paying for was sitting unused. The upgrade to Business Premium and full deployment of Intune, Defender for Business, and the Entra ID security feature set turned an underutilized productivity subscription into an enterprise security platform. The cost of the modernization was partly offset by eliminating the Remote Desktop infrastructure it replaced.
Security and usability designed together
The mobile device outcome is the clearest example. Employees had already refused full MDM enrollment – a position that was going to hold regardless of how the ask was framed. Mobile Application Management delivered the same data protection without requiring anyone to surrender control of a personal device. That’s why adoption happened. When security measures respect people’s reasonable objections, they get used.
Identity, devices, and data treated as one problem
The temptation in IT modernization is to sequence workstreams over multiple budget cycles: identity this year, endpoint management next, collaboration when there’s capacity. That approach leaves gaps at the intersections and intersections are where security exposure lives. Addressing the three as a single initiative was what made the result coherent rather than patchwork.
Foundation before breadth
The device inventory was established before compliance policies were enforced against it. Identity controls were deployed before endpoint management was layered on top. Each phase built on the previous one, which is what separates a system that holds from one that eventually needs to be done again properly.
How It Was Built
The program followed a deliberate sequence rather than running workstreams in parallel before the foundation was ready:
Discovery first
Full environment audit, device inventory baseline, and a modernization roadmap built around actual gaps – not assumptions about what a standard deployment looks like.
Identity before access
Microsoft Entra ID configured with MFA, Conditional Access, and SSPR before any other workstream opened. Users required to adopt Microsoft Authenticator before access continued.
Endpoints enrolled
Corporate Windows devices brought into Intune with compliance policies, BitLocker, and Defender for Business before personal device management was addressed.
Personal devices secured
MAM deployed for personal smartphones – Outlook and Teams protected without full device enrollment. Adoption happened because the ask was proportionate.
Collaboration migrated
~20 SharePoint sites built, ~500GB of data moved from legacy storage, Remote Desktop decommissioned.
Future Plans
The modernization established a foundation for continued investment.
On the roadmap: Microsoft Purview Information Protection and Data Loss Prevention, automation of employee onboarding and offboarding workflows, continued enrollment of devices not yet under Intune management, VPN modernization and secure network access enhancements, and expanded compliance monitoring. Much of this connects to Digicode’s broader work in enterprise AI solutions and data engineering, where automation and analytics extend what the Microsoft 365 security platform can do operationally.
Each of these builds on identity, device, and data governance infrastructure that is already in place, which means every next step is less complex than it would have been without this foundation.
Key Takeaways
-
Multi-factor authentication and Conditional Access policies together close the credential-based exposure that passwords alone cannot address
-
Endpoint management through Microsoft Intune requires a device inventory first – you can’t enforce compliance against assets you haven’t documented
-
Mobile Application Management resolves the BYOD problem that full MDM enrollment tends to create – same data protection, proportionate ask
-
SharePoint Online migration is not just a file move, but the opportunity to build governance, permissions, and auditability that legacy file-sharing environments never had
-
Treating identity, endpoints, and data as one modernization initiative closes the gaps that sequential, separate projects leave at the intersections
-
Microsoft 365 Business Premium already includes most of what mid-market organizations need for enterprise-grade security – the work is in the deployment, not the licensing
Related Resources
FAQ
-
What is Microsoft 365 security?
Microsoft 365 security is the combination of identity protection, endpoint management, threat detection, and data governance built into the Microsoft 365 platform. For most organizations, a significant portion of these controls (Conditional Access, MFA, Microsoft Defender, Intune) are available but not deployed. Microsoft 365 security means fully activating and configuring those layers, not just holding a Microsoft 365 subscription.
-
How does Microsoft 365 migration work?
Microsoft 365 migration involves moving data, user accounts, and workloads from legacy systems to Microsoft’s cloud infrastructure. This typically covers email migration, SharePoint Online migration from file servers or Remote Desktop environments, and user onboarding to modern authentication. A structured approach addresses identity security before data migration, reducing exposure during the transition and ensuring the new environment is governed from day one.
-
What are Conditional Access policies in Microsoft 365?
Conditional Access policies are rules in Microsoft Entra ID that evaluate every login attempt against defined criteria (user identity, device compliance, location, and risk signals) before granting access to corporate systems. Rather than relying on a correct password alone, Conditional Access can require MFA, restrict access to compliant devices, or block untrusted locations. It is one of the highest-impact identity controls in Microsoft 365.
-
What is multi-factor authentication?
Multi-factor authentication requires users to verify their identity through a second factor (typically an app notification or a code) in addition to their password. This means a stolen or phished password alone is not enough to gain network access. MFA is consistently one of the most effective security controls available and is a baseline requirement for any organization serious about protecting user identities and corporate systems.
-
What is endpoint management in Microsoft 365?
Endpoint management in Microsoft 365 refers to centralized control and monitoring of devices (Windows PCs, laptops, and mobile devices) through Microsoft Intune. IT teams can enforce compliance policies, deploy applications, manage encryption, and monitor device health from a single console. For organizations without a device inventory, Intune often provides the first real visibility into what is on the network and whether it meets security standards.
-
What is Microsoft Defender for Business?
Microsoft Defender for Business is an endpoint security solution designed for small and mid-sized organizations. It provides threat protection, attack surface reduction, endpoint detection and response, and automated investigation capabilities across managed devices. Defender for Business is included in Microsoft 365 Business Premium and integrates with Microsoft Intune, allowing security policies and threat monitoring to run from the same management console.
-
What is endpoint detection and response?
Endpoint detection and response (EDR) continuously monitors endpoints for signs of threat activity, detects anomalies, and provides investigation and response capabilities for security incidents. Unlike traditional antivirus, EDR identifies threats that have already bypassed initial defenses and gives IT teams the visibility to understand what happened and contain the damage. Microsoft Defender for Business includes EDR as part of Microsoft 365 Business Premium.
-
What is SharePoint Online migration?
SharePoint Online migration is the process of moving business data from on-premises file servers, network drives, or legacy environments (including Remote Desktop-based storage) to SharePoint Online in Microsoft 365. A well-executed migration establishes governed document libraries, department-level permissions, external collaboration sites, and full audit capabilities. It replaces infrastructure that was expensive to maintain and difficult to secure with a governed, cloud-based alternative.
-
What is IT infrastructure modernization?
IT infrastructure modernization is the process of replacing legacy systems, tools, and processes with modern cloud-based alternatives that are more secure, manageable, and cost-effective. In a Microsoft 365 context, this typically means retiring on-premises servers, Remote Desktop environments, and unmanaged device fleets in favor of centrally governed, cloud-managed infrastructure with identity protection, endpoint compliance, and data governance from a single platform.
-
What is cloud transformation?
Cloud transformation is the organizational shift from on-premises infrastructure to cloud-hosted services and platforms. In a Microsoft 365 context, this means moving identity management, device security, collaboration, and compliance monitoring to Microsoft’s cloud without on-premises server dependencies. For mid-market organizations, Microsoft 365 Business Premium provides enterprise-grade security and governance at a manageable cost and complexity level.
-
How does Digicode approach Microsoft 365 security modernization?
Digicode treats identity, endpoint management, and data governance as one coordinated initiative rather than separate projects. As a Microsoft Partner with over 18 years of experience, Digicode designs modernization programs that balance security with usability, deploying Conditional Access, Intune, and SharePoint Online migration in a sequence that closes gaps at the intersections other approaches tend to leave open.