Back
    Menu
    Close

    Microsoft 365 Migration
    and Security Modernization for an Agri-Food Production Company

    Digicode replaced a password-only, Remote Desktop-dependent IT environment for an agri-food production company with 120 users across two locations in Europe. By deploying multi-factor authentication, Conditional Access policies, Microsoft Intune endpoint management, and a SharePoint Online migration, the organization moved from a reactive, patchwork infrastructure to a centrally governed Microsoft 365 workplace – 100% MFA adoption, 61 devices enrolled, 77 personal devices secured, and a legacy Remote Desktop environment retired for good.

    hands over laptop keys and translucent icons
    stack of documents on a purple background

    No time right now?
    Save it for later

    Download the PDF version

    Overview

    Most IT environments don’t fail dramatically. They accumulate risk quietly – a shared login here, an untracked device there, a file server that drops connections on a busy morning.

    By the time anyone pays serious attention, the gaps are already everywhere.

    For an agri-food production company operating across two sites in Slovakia with 120 Microsoft 365 users, the situation was exactly that.

    The business ran on a hybrid environment combining on-premises Active Directory with Microsoft 365 – functional in an earlier phase of growth, but well behind where its security posture needed to be.

    User identities were protected by passwords alone. Corporate devices had no central inventory. File access ran through a Remote Desktop environment that broke regularly. And when employees were asked to accept full device management on their personal phones, they refused, which left a category of devices with access to corporate data sitting entirely outside any security policy.

    Digicode designed and delivered a Microsoft 365 migration and IT infrastructure modernization program that addressed identity, endpoint, mobile, and collaboration in one coordinated initiative.

    The result: 100% MFA adoption, 61 corporate devices under Intune management, 77 personal devices secured through Mobile Application Management, roughly 500GB migrated to SharePoint Online, and a Remote Desktop environment that no longer exists.

    laptop with a picture of a lock and numbers flying off the screen

    About the Client

    The client is an agri-food production company headquartered in Bratislava, Slovakia, with production facilities in Horny Saliby. Approximately 120 Microsoft 365 users work across administration, production, quality assurance, logistics, purchasing, and commercial departments at two locations.

    Operations spanning two sites meant every IT decision had cross-location implications.

    The business had built its infrastructure incrementally – a hybrid of on-premises Active Directory and Microsoft 365 that worked in an earlier phase but no longer matched the security or operational requirements of a company with an expanding workforce and a growing remote work footprint. Two sites, multiple departments, one environment with no centralized device management, no identity controls beyond a password, and a file-sharing model that employees had learned to work around rather than rely on.

    worker in white protective suit in workshop

    About Digicode

    Digicode is an AI-enabled product development and consulting company, a Microsoft Partner with more than 18 years of experience in IT consulting, workplace modernization, and Microsoft 365 implementations.

    Digicode designs, builds, and modernizes IT environments for organizations that need to move from legacy infrastructure to modern, governed, cloud-based platforms without disrupting daily operations. Cloud transformation and tech modernization are areas where the company brings direct experience – taking organizations from hybrid environments that have drifted from best practice back to a security posture that actually reflects the current threat landscape.

    For this engagement, Digicode drew on its cloud migration and Microsoft Dynamics and Microsoft platform expertise to deliver a Microsoft 365 modernization program covering identity, endpoint management, mobile security, and SharePoint Online migration as one coordinated initiative, not a set of disconnected IT projects.

    man in wireless headphones with laptop

    The Situation

    IT security gaps tend to be interconnected in ways that make each one harder to address in isolation. Fix identity without touching devices and the endpoints are still unmanaged. Manage endpoints without addressing mobile and personal phones stay outside the perimeter. The organization had all of them at once.

    • black check mark in a circle

      Identities secured by passwords alone

      No multi-factor authentication. No Conditional Access policies. Every user account was one compromised credential away from full network access. In an environment where remote work was expanding and employees were accessing systems from outside the office more often, that was a risk that compounded quietly every week.

    • black check mark in a circle

      No visibility into corporate devices

      The organization had no complete inventory of its Windows devices and no reliable record of which device belonged to which employee. Device ownership was undocumented, compliance was unmonitored, and security policies couldn’t be consistently enforced across endpoints nobody had formally tracked. During the initial assessment, this turned out to be one of the most significant gaps the engagement had to address and it became the foundation everything else was built on.

    • black check mark in a circle

      File access dependent on Remote Desktop

      Shared file access ran through a Remote Desktop environment. It worked until it didn’t and it didn’t with enough regularity to become a daily operational friction point. The environment carried hosting and maintenance costs with no corresponding security benefit, gave the business no auditability over who had accessed what, and was a file-sharing model that employees had learned to route around rather than depend on.

    • black check mark in a circle

      Personal devices left outside the perimeter

      Employees used personal smartphones for work email and messaging. When asked to accept full mobile device management, they pushed back – a reasonable response from anyone being asked to hand IT complete control of a personal device. The outcome was a category of devices with real access to corporate data sitting entirely outside any security policy, with no way to enforce controls or selectively remove data if a device was lost or an employee left.

    • black check mark in a circle

      No audit trail on documents

      Document access, sharing, and governance had no centralized visibility. The organization couldn’t reliably determine who had accessed a file, when, or whether that access was appropriate – a compliance and governance gap that widened with every passing month.

    Multi-Factor Authentication
    and Conditional Access policies

    Multi-factor authentication was deployed across all 120 users, with Microsoft Authenticator as the required second factor. Conditional Access policies were configured to evaluate every login attempt against user identity, device compliance status, and location before granting network access. Self-Service Password Reset and security group-based access management brought authentication governance in line with current enterprise standards. All users were required to adopt the new controls before access continued.

    Endpoint management through Microsoft Intune

    Following an upgrade to Microsoft 365 Business Premium, Digicode enrolled 61 corporate Windows devices into Microsoft Intune, creating the organization’s first-ever centralized device inventory. Compliance policies, BitLocker encryption, and Microsoft Defender for Business were deployed across enrolled devices, with endpoint detection and response capabilities active across the managed endpoint estate. A hybrid management approach was maintained where Group Policy Objects were already established.

    Mobile Application Management without full device control

    The personal device problem was resolved through Mobile Application Management rather than full MDM enrollment. Outlook and Teams were secured on employees’ personal smartphones (corporate data protected and selectively removable) without IT taking over the device itself. Employees accepted it because they weren’t being asked to surrender control of a personal device. That distinction is what made adoption happen rather than stall.

    SharePoint Online migration replacing Remote Desktop

    Digicode designed and built approximately 20 SharePoint sites with structured document libraries, department-level permissions, and security group-based access control. A dedicated external collaboration site was built for partners and third parties. A communication portal with centralized navigation was added. Then roughly 500GB of business data was migrated from legacy storage, and the Remote Desktop environment was decommissioned.

    The Solution

    Digicode designed and implemented a Microsoft 365 migration and security modernization program addressing identity, endpoint management, mobile, and collaboration as a single coordinated initiative.

    Before and After

    How moving to a centrally governed Microsoft 365 workplace changed the operational reality:

    Area

    Before

    After

    Identity protection

    Password-only access – no MFA, no Conditional Access policies

    100% MFA deployed, Conditional Access evaluating every login

    Device oversight

    No inventory, no compliance monitoring, no documented ownership

    61 devices centrally enrolled and managed in Microsoft Intune

    Personal devices

    Unmanaged – full MDM resisted and refused by employees

    77 devices secured via Mobile Application Management

    File sharing

    Remote Desktop environment, prone to outages and downtime

    SharePoint Online – ~20 governed sites, department-level permissions

    Business data

    ~500GB on legacy infrastructure with no audit trail

    Migrated to SharePoint Online – governed, compliant, audit-ready

    Infrastructure cost

    Remote Desktop hosting and maintenance costs with no security return

    Legacy environment fully retired

    Area

    Identity protection

    Before

    Password-only access – no MFA, no Conditional Access policies

    After

    100% MFA deployed, Conditional Access evaluating every login

    Area

    Device oversight

    Before

    No inventory, no compliance monitoring, no documented ownership

    After

    61 devices centrally enrolled and managed in Microsoft Intune

    Area

    Personal devices

    Before

    Unmanaged – full MDM resisted and refused by employees

    After

    77 devices secured via Mobile Application Management

    Area

    File sharing

    Before

    Remote Desktop environment, prone to outages and downtime

    After

    SharePoint Online – ~20 governed sites, department-level permissions

    Area

    Business data

    Before

    ~500GB on legacy infrastructure with no audit trail

    After

    Migrated to SharePoint Online – governed, compliant, audit-ready

    Area

    Infrastructure cost

    Before

    Remote Desktop hosting and maintenance costs with no security return

    After

    Legacy environment fully retired

    Results

    This Is What Secure Looks Like

    white laptop icon in purple rounded square

    Every corporate device accounted for

    61 corporate Windows devices are enrolled in Microsoft Intune – the first time the organization had a complete, centrally managed device inventory. Compliance monitoring, BitLocker encryption, and Microsoft Defender for Business with endpoint detection and response now cover every enrolled endpoint.

    white database icon in purple rounded square

    Remote Desktop replaced, data on SharePoint

    Roughly 500GB of business data is now in SharePoint Online across approximately 20 governed sites. Around 100 users moved off Remote Desktop. The legacy environment was retired, along with the hosting and maintenance costs it was carrying.

    white empty conveyor icon in purple rounded square

    First-ever device inventory established

    Before the project, no reliable record existed of which corporate devices were in circulation or who was using them. Device ownership is now documented, compliance is monitored, and IT has full visibility into the endpoint estate for the first time.

    white chalkboard icon in purple rounded square

    Personal devices brought inside the perimeter

    77 personal mobile devices are secured through Mobile Application Management. Corporate data on Outlook and Teams is governed and selectively removable without requiring full device enrollment that employees had already declined.

    white chart pie icon in purple rounded square

    100% MFA adoption

    Every one of approximately 120 users now authenticates through multi-factor authentication with Conditional Access evaluation on every login attempt. The password-only exposure is closed.

    white hierarchy icon in purple rounded square

    Infrastructure cost reduced

    The retirement of the Remote Desktop environment eliminated a cost category that was adding operational overhead without adding security. Infrastructure complexity decreased with it.

    Why It Matters

    Security gaps rarely show up in an audit. They show up when something goes wrong – a phished login that grants network access, an unencrypted laptop that walks out the door, a file share that nobody can account for when asked.

    The more common pattern is an IT environment that accumulated controls incrementally, each one addressing a specific problem without a view of the full picture. Identity gets addressed. Devices don’t. Collaboration gets modernized. Governance doesn’t follow. The gaps live at the intersections, and the intersections are where organizations actually get exposed.

    Treating identity, devices, and data as three parts of one problem (rather than three separate IT projects) is what produced a result that holds. Every device is accounted for. Every login is verified. Every file has an owner and a trail.

    That’s the difference between hoping nothing goes wrong and knowing you’d see it if it did.

    blue lock and chips

    Why the Project Succeeded

    Built to Hold, Not Just to Launch

    white padlock icon in purple rounded square

    Microsoft 365 Business Premium used as a security platform

    The organization was already paying for Microsoft 365. Like most organizations in that position, a significant portion of what they were paying for was sitting unused. The upgrade to Business Premium and full deployment of Intune, Defender for Business, and the Entra ID security feature set turned an underutilized productivity subscription into an enterprise security platform. The cost of the modernization was partly offset by eliminating the Remote Desktop infrastructure it replaced.

    white chield with checkmark icon in purple rounded square

    Security and usability designed together

    The mobile device outcome is the clearest example. Employees had already refused full MDM enrollment – a position that was going to hold regardless of how the ask was framed. Mobile Application Management delivered the same data protection without requiring anyone to surrender control of a personal device. That’s why adoption happened. When security measures respect people’s reasonable objections, they get used.

    white pyramid icon in purple rounded square

    Identity, devices, and data treated as one problem

    The temptation in IT modernization is to sequence workstreams over multiple budget cycles: identity this year, endpoint management next, collaboration when there’s capacity. That approach leaves gaps at the intersections and intersections are where security exposure lives. Addressing the three as a single initiative was what made the result coherent rather than patchwork.

    white squares icon in purple rounded square

    Foundation before breadth

    The device inventory was established before compliance policies were enforced against it. Identity controls were deployed before endpoint management was layered on top. Each phase built on the previous one, which is what separates a system that holds from one that eventually needs to be done again properly.

    How It Was Built

    The program followed a deliberate sequence rather than running workstreams in parallel before the foundation was ready:

    Discovery first

    Full environment audit, device inventory baseline, and a modernization roadmap built around actual gaps – not assumptions about what a standard deployment looks like.

    Identity before access

    Microsoft Entra ID configured with MFA, Conditional Access, and SSPR before any other workstream opened. Users required to adopt Microsoft Authenticator before access continued.

    Endpoints enrolled

    Corporate Windows devices brought into Intune with compliance policies, BitLocker, and Defender for Business before personal device management was addressed.

    Personal devices secured

    MAM deployed for personal smartphones – Outlook and Teams protected without full device enrollment. Adoption happened because the ask was proportionate.

    Collaboration migrated

    ~20 SharePoint sites built, ~500GB of data moved from legacy storage, Remote Desktop decommissioned.

    Future Plans

    The modernization established a foundation for continued investment.

    On the roadmap: Microsoft Purview Information Protection and Data Loss Prevention, automation of employee onboarding and offboarding workflows, continued enrollment of devices not yet under Intune management, VPN modernization and secure network access enhancements, and expanded compliance monitoring. Much of this connects to Digicode’s broader work in enterprise AI solutions and data engineering, where automation and analytics extend what the Microsoft 365 security platform can do operationally.

    Each of these builds on identity, device, and data governance infrastructure that is already in place, which means every next step is less complex than it would have been without this foundation.

    Key Takeaways

    • black check mark in a circle

      Multi-factor authentication and Conditional Access policies together close the credential-based exposure that passwords alone cannot address

    • black check mark in a circle

      Endpoint management through Microsoft Intune requires a device inventory first – you can’t enforce compliance against assets you haven’t documented

    • black check mark in a circle

      Mobile Application Management resolves the BYOD problem that full MDM enrollment tends to create – same data protection, proportionate ask

    • black check mark in a circle

      SharePoint Online migration is not just a file move, but the opportunity to build governance, permissions, and auditability that legacy file-sharing environments never had

    • black check mark in a circle

      Treating identity, endpoints, and data as one modernization initiative closes the gaps that sequential, separate projects leave at the intersections

    • black check mark in a circle

      Microsoft 365 Business Premium already includes most of what mid-market organizations need for enterprise-grade security – the work is in the deployment, not the licensing

    geometric figure composed of shining lines and nodal points

    Let’s Talk

    See what happens when Microsoft 365 finally gets configured the way your security posture actually requires

    Explore Your Strategy

    FAQ

    • What is Microsoft 365 security?

      Microsoft 365 security is the combination of identity protection, endpoint management, threat detection, and data governance built into the Microsoft 365 platform. For most organizations, a significant portion of these controls (Conditional Access, MFA, Microsoft Defender, Intune) are available but not deployed. Microsoft 365 security means fully activating and configuring those layers, not just holding a Microsoft 365 subscription.

    • How does Microsoft 365 migration work?

      Microsoft 365 migration involves moving data, user accounts, and workloads from legacy systems to Microsoft’s cloud infrastructure. This typically covers email migration, SharePoint Online migration from file servers or Remote Desktop environments, and user onboarding to modern authentication. A structured approach addresses identity security before data migration, reducing exposure during the transition and ensuring the new environment is governed from day one.

    • What are Conditional Access policies in Microsoft 365?

      Conditional Access policies are rules in Microsoft Entra ID that evaluate every login attempt against defined criteria (user identity, device compliance, location, and risk signals) before granting access to corporate systems. Rather than relying on a correct password alone, Conditional Access can require MFA, restrict access to compliant devices, or block untrusted locations. It is one of the highest-impact identity controls in Microsoft 365.

    • What is multi-factor authentication?

      Multi-factor authentication requires users to verify their identity through a second factor (typically an app notification or a code) in addition to their password. This means a stolen or phished password alone is not enough to gain network access. MFA is consistently one of the most effective security controls available and is a baseline requirement for any organization serious about protecting user identities and corporate systems.

    • What is endpoint management in Microsoft 365?

      Endpoint management in Microsoft 365 refers to centralized control and monitoring of devices (Windows PCs, laptops, and mobile devices) through Microsoft Intune. IT teams can enforce compliance policies, deploy applications, manage encryption, and monitor device health from a single console. For organizations without a device inventory, Intune often provides the first real visibility into what is on the network and whether it meets security standards.

    • What is Microsoft Defender for Business?

      Microsoft Defender for Business is an endpoint security solution designed for small and mid-sized organizations. It provides threat protection, attack surface reduction, endpoint detection and response, and automated investigation capabilities across managed devices. Defender for Business is included in Microsoft 365 Business Premium and integrates with Microsoft Intune, allowing security policies and threat monitoring to run from the same management console.

    • What is endpoint detection and response?

      Endpoint detection and response (EDR) continuously monitors endpoints for signs of threat activity, detects anomalies, and provides investigation and response capabilities for security incidents. Unlike traditional antivirus, EDR identifies threats that have already bypassed initial defenses and gives IT teams the visibility to understand what happened and contain the damage. Microsoft Defender for Business includes EDR as part of Microsoft 365 Business Premium.

    • What is SharePoint Online migration?

      SharePoint Online migration is the process of moving business data from on-premises file servers, network drives, or legacy environments (including Remote Desktop-based storage) to SharePoint Online in Microsoft 365. A well-executed migration establishes governed document libraries, department-level permissions, external collaboration sites, and full audit capabilities. It replaces infrastructure that was expensive to maintain and difficult to secure with a governed, cloud-based alternative.

    • What is IT infrastructure modernization?

      IT infrastructure modernization is the process of replacing legacy systems, tools, and processes with modern cloud-based alternatives that are more secure, manageable, and cost-effective. In a Microsoft 365 context, this typically means retiring on-premises servers, Remote Desktop environments, and unmanaged device fleets in favor of centrally governed, cloud-managed infrastructure with identity protection, endpoint compliance, and data governance from a single platform.

    • What is cloud transformation?

      Cloud transformation is the organizational shift from on-premises infrastructure to cloud-hosted services and platforms. In a Microsoft 365 context, this means moving identity management, device security, collaboration, and compliance monitoring to Microsoft’s cloud without on-premises server dependencies. For mid-market organizations, Microsoft 365 Business Premium provides enterprise-grade security and governance at a manageable cost and complexity level.

    • How does Digicode approach Microsoft 365 security modernization?

      Digicode treats identity, endpoint management, and data governance as one coordinated initiative rather than separate projects. As a Microsoft Partner with over 18 years of experience, Digicode designs modernization programs that balance security with usability, deploying Conditional Access, Intune, and SharePoint Online migration in a sequence that closes gaps at the intersections other approaches tend to leave open.

    Digicode
    Privacy Overview

    This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.