Compliance

Ensuring compliance with Microsoft 365 in your organisation

Compliance is a key aspect of working with Microsoft 365. Without clear governance, there is a risk of security vulnerabilities and confusing permissions. Compliance by Design ensures that structures are secure, transparent and auditable from the outset.

15 June 2026 – Christian Mennrich-Ketelsen / Patrick Carl

Several dice bearing symbols that represent the company’s compliance rules.
Several dice bearing symbols that represent the company’s compliance rules.

Compliance challenges in Microsoft 365:

Although working in Microsoft 365 offers many benefits, when it comes to compliance, the reality is quickly revealed to be complex: changing teams, external guests and countless permissions make it difficult to keep track of sensitive data. Meanwhile, regulatory requirements such as the GDPR and NIS-2 are constantly evolving, meaning organisations must regularly adapt their practices. Through the Digital Resilience Commitment, Microsoft supports organisations in strengthening their security. Training staff and raising awareness are also important to ensure that data protection and compliance are embedded in day-to-day operations. This is why compliance is an ongoing process that builds security and trust, not a one-off project.

Microsoft 365 and Governance: Common challenges in day-to-day work

Many organisations recognise that governance and compliance in Microsoft 365 are complex issues requiring well-thought-out structures. Without clear rules and transparent permissions, maintaining an overview and quickly providing all necessary evidence during audits can be challenging. The typical areas of concern here are:

  • Uncontrolled growth: Teams and SharePoint sites are created without clear rules or processes. This leads to a loss of overview.
  • Permission chaos: Permissions are often not properly documented, resulting in security and compliance gaps.
  • Guests and external users: Invitations remain active indefinitely and old accounts are not deleted. This poses a risk that is often underestimated.
  • Audits: Teams often spend days or even weeks manually compiling confidential evidence of permissions and data access.

Governance with Microsoft 365: First-hand insights from Portal Systems

Based on various client projects, Portal Systems has found that many organisations face recurring compliance challenges in Microsoft 365. Typical issues include confusing permissions in Teams and SharePoint, where it is unclear who has access to what. External guest accounts often remain open for longer than necessary, thus posing a security risk. Audits also pose problems when evidence has to be gathered manually. This time-consuming and frustrating process can be avoided with the right tools.

Microsoft 365: Why governance and access policies are key

Clear governance and access policies, such as role-based access control and consistent access management, are essential for building trust within the Microsoft 365 environment. These policies ensure transparency and traceability, providing clarity on who has access to what. Automation and a consistent least-privilege approach help organisations minimise the risk of unauthorised access. Additionally, regularly renewing licences ensures access remains up to date, accurate, and audit-proof. This results in less manual effort and significantly greater security. Consequently, organisations retain an overview of their Microsoft 365 resources at all times.

Shareflex® Documents

Document Management with SharePoint and Microsoft 365

With Shareflex Documents you get a tailor-made solution for process and document management with SharePoint and Microsoft 365.

  • ✯ Manage documents more efficiently
  • ✯ Simplify access and speed up searches
  • ✯ Increase productivity and save costs
Software Demo
Download Product Information
The user interface of Shareflex Documents, the document management software with SharePoint Online and Microsoft 365.

Compliance by Design with Patrick Carl: How compliance drives innovation

Organisations often view compliance as a chore. However, with the right approach, governance can achieve much more than merely meeting regulations. Patrick Carl, CSO of Portal Systems, explains: Microsoft 365 demonstrates how regulations and flexibility can go hand in hand.

Question: When you think about your projects: Is there an ‘aha’ moment that customers experience once they have implemented Governance by Design?

Patrick Carl: When they realise just how much Microsoft already delivers at the core. This makes things significantly easier for customers than if they were to try to manage everything themselves.

Question: It is often said that ‘compliance stifles innovation’. Why do you consider this a misconception, particularly in the context of Microsoft 365?

Patrick Carl: As a company with Hanseatic roots, the honourable merchant is an important guiding principle for us. Rules must be followed and adhered to. Even if that isn’t always easy. Microsoft supports us in this area with its cloud services, as compliance is also very important to Microsoft and a central component of all its services. Through our offerings, Microsoft and we demonstrate that innovation is not compromised, but rather that our offerings are more innovative than those of the competition.

Office Governance: Microsoft 365 with effective security strategies

Experience shows that compliance is most effective when built in from the outset. Clear roles and the ‘least privilege’ principle ensure that everyone has access only to what they need and that responsibilities are defined. Automated processes for permissions and regular checks replace cumbersome Excel spreadsheets and ensure that security is fully traceable. Clear rules also govern collaboration with external partners, specifying who can access which data and when. Governance by design is a strategic advantage, not an extra burden.

Lessons learned by Portal Systems: Ensuring compliance with Microsoft 365

Projects involving portal systems have yielded interesting approaches to the efficient implementation of governance and authorisation processes. Through targeted testing, practical trials and accompanying documentation, potential issues can be identified early on, enabling more effective management of processes. This creates structures that enable the secure and controlled introduction of new processes.

  • Launch small pilot projects: Use a department or region as a test area to review governance processes and gather user feedback.
  • Use demo versions and test environments: This allows you to practically assess requirements, test authorisations and workflows.
  • Involve key users closely: define roles, authorisations and responsibilities in collaboration with IT and Compliance, and reduce the training burden.
  • Phased implementation: Start by securing critical processes such as contract management, document management or ECM, then expand gradually.
  • Ongoing feedback: Refine functions and continuously adapt to compliance requirements.

Governance by Design fosters security and trust

Compliance by Design is an ongoing process that builds trust through security, and is more than just a technical standard. Clear authorisation rules, regular audits and small-scale pilot projects can help to avoid common issues relating to permissions and open guest access, ensuring the secure use of Microsoft 365. Integrating governance into all processes from the outset saves organisations a great deal of time and helps them to maintain a clear overview. This enables you to protect your data, meet compliance requirements, and continue using Microsoft 365 flexibly.

Any questions? I will be happy to answer them personally!

Portrait of Patrick Carl, Chief Sales Officer at Portal Systems AG.

Patrick Carl
Chief Sales Officer

Email: info[at]portalsystems.de

FAQ

Why is it not enough to simply ‘add on’ compliance to Microsoft 365 at a later stage?

Organisations must integrate compliance with Microsoft 365 from the outset ('by design'), because measures introduced retrospectively often create gaps and inefficiencies in processes, increasing the risk of breaches.

What is the difference between technical security and effective governance?

Technical security protects systems and data from unauthorised access, while effective governance ensures that rules, roles, and processes are consistently implemented, and that compliance is maintained in day-to-day operations.

What are the typical signs that a company is operating shadow IT in Microsoft 365?

These include the uncontrolled creation of Teams, SharePoint sites or external shares without documented permissions, a lack of guest policies, and manually maintained access lists.

Avatar with beard, hat, glasses, and pipe.

Hamburg, 16 June 2026

Author: Christian Mennrich-Ketelsen

Please feel free to share this article:

Portal Systems is Microsoft Solutions Partner Digital and App Innovation Azure.
The Microsoft Solutions Partner logo Data & AI Azure.
The ISO/IEC 27001 certificate for Portal Systems AG and SaaS Shareflex Solutions.
The BSFZ® seal for innovative research and development.
Seal ‘“Practice partner for the dual study programme at IU International University (IU)”'.
Cloud, yes, but in a sovereign way: DMS with Microsoft and EU compliance.DMS solutions for compliance and digital sovereignty in the EU.