Microsoft 365 governance India: the morning a Hyderabad SaaS firm found 4,000 people could open payroll
The IT head asked me which firewall to renew. That was not actually the problem. His problem was sitting inside his own Microsoft 365 tenant, and it had been growing quietly for four years.
This is a Hyderabad SaaS company. Around 320 staff. Good product, fast hiring, the usual. I drove over on a Tuesday to look at their cloud setup before a renewal. By 11 that morning we had found something nobody in the room wanted to say out loud.
Four thousand accounts could open the payroll folder.

9:40 AM, the link that never died
It started small. A finance executive had shared a salary working file in 2022. She used “anyone with the link can edit”. Quick, easy, bas done. Then that link sat in an email. The email got forwarded. The folder it lived in inherited the sharing. New subfolders inherited it again.
By 2026 the count of people and guests who could reach that folder was higher than the company’s actual headcount. Matlab, contractors who left in 2023 still had a live door in.
Nobody did anything malicious here. That is the part people miss. Permissions sprawl is not a breach. It is entropy. You hire fast, you share fast, and access only ever gets added, never removed.
10:15 AM, the admin who already knew
Their M365 admin was sharp. He pulled up the sharing reports inside the admin centre and the SharePoint admin pages. He could see the problem. He had been able to see it for months.
Here is the honest bit. I came into that room thinking this was a training issue. Teach people to stop using open links, achha, done. Three reports and one long coffee later, I changed my mind. This was a scale problem. You cannot hand-fix 12,000 broken permission entries across 600 sites with a person and a mouse.
The native tools are genuinely good at one thing. They tell you the truth. Microsoft’s own data governance documentation lays out the visibility you get. What they do not do well is act on that truth in bulk, on a schedule, with a record of what changed and why.
That is the line. Reporting is not remediation. Seeing the fire is not the same as putting it out.
200+ Indian businesses. Microsoft Partner.
Microsoft 365 governance India: where the cleanup actually starts
People hear “governance” and think policy documents. Forget that. On the ground it is four plain questions, asked about every file and every team.
- Who can open this, and should they?
- What happens to access when someone leaves or changes role?
- Which sites and teams have gone stale and should be archived?
- Can I prove, on a given date, who could see a given file?
That last one is the DPDP question. India’s data law, explained in MeitY’s data protection framework, treats personal data access as a duty you have to demonstrate. Not claim. Demonstrate, with a record.
This is where AvePoint M365 management earns its keep. It sits on top of your tenant and does the bulk work the admin centre cannot. Bulk permission cleanup. Stale-site detection. Policies that re-apply themselves when someone breaks a rule again next month. And it keeps the audit trail that a DPDP review will ask for.
11:30 AM, the table nobody enjoyed
The CFO walked in for a different meeting and stayed for this one. He wanted the choice on one page. So I drew it.
| Job | Native M365 tools | AvePoint |
|---|---|---|
| Show who can access a file | Yes, good | Yes |
| Fix 10,000 permissions at once | Manual, painful | Bulk, scheduled |
| Re-apply policy when it breaks again | No | Automatic |
| Find and archive dead Teams sites | Partial | Yes, with rules |
| Audit record for a DPDP review | You assemble it | Kept for you |
The CFO got it in about ten seconds. His line, not mine: “So the free tool tells me my house is on fire, and this one actually brings water.” Pakka. That is the whole thing.
Worth saying plainly. If you are a 30-person shop with one SharePoint site, you do not need this. Native tools and a careful admin are enough. The case changes when you cross a few hundred staff, many sites, guests, and a compliance clock ticking. Then the manual route stops being thrift and starts being risk.
200+ Indian businesses. Microsoft Partner.
The three doors most tenants leave open
I see the same three every time I walk into an Indian M365 estate. I think yours has at least one.
Open links. The “anyone with the link” share that escapes its original folder. Convenient on Monday, a liability by next quarter. Microsoft and the security guidance from CERT-In both push least-privilege sharing for exactly this reason.
Orphaned access. The person left. Their access did not. Offboarding cleans the user account but rarely walks back every file and Team they touched. The principle here is old and boring and right, the least-privilege idea that NIST has pushed for years. Give the minimum, take it back fast.
Dead Teams. Someone spun up a Team for a 2024 project. It holds client data. It has had zero activity for 18 months and zero owner. Nobody is watching it, and that is precisely the kind of forgotten corner a review will find.
2:00 PM, what we actually proposed
No big-bang rip-out. We do not work that way and you should not either. The plan was three moves, in order.
First, a read-only scan. We map the real access picture across the tenant before touching anything. Most clients have never once seen this view, and it is sobering.
Second, a controlled cleanup. Close the worst open links, pull orphaned access, archive the dead Teams. With a record of every change, so it is reversible and provable.
Third, policies that hold. So the tenant does not drift back to the same mess in six months. This is the bit that pays for itself, because cleanup once is a project and cleanup forever is a posture.
The same logic carries over to the rest of your stack. It pairs with the Microsoft 365 backup gap most firms also miss, with tighter identity and access controls, and with endpoint cover like Microsoft Defender for Business. Governance, backup, identity. Three legs of the same stool. You can see how we line them up across our cloud practice, and pair it with data access auditing where the estate is larger.
Plain-English terms
Permissions sprawl: When access to files and folders keeps getting added and almost never removed, until far more people can open something than ever should. Example: 4,000 accounts able to reach a payroll folder shared by one person in 2022.
DPDP Act 2023: India’s data protection law. Any business holding personal data of Indian citizens must control and prove who can access it. Example: a SaaS firm must show, on request, exactly who could open an employee salary file.
Least privilege: The rule that each person gets the minimum access they need to do their job, and no more. Example: a sales intern can open the sales deck, not the board folder.
Key takeaways
- Permissions sprawl is normal entropy, not a breach. It builds quietly as you hire and share.
- Native M365 tools report the problem well. They do not remediate it at scale.
- Under DPDP, access control is a provable legal duty, not just hygiene.
- Start with a read-only scan. You cannot fix what you have never measured.
- The payoff is policies that hold, so cleanup is permanent and not an annual fire drill.
FAQ
Does Microsoft 365 not handle governance on its own?
It gives you strong visibility and basic controls. At a few hundred users with many sites and guests, the bulk cleanup and the re-applying policies are where native tooling runs out, and a layer like AvePoint takes over.
Is this only for large enterprises?
No, but it earns its place above a certain size. A small single-site team is fine on native tools. The value shows when you have sprawl across many teams, departing staff, and a compliance requirement.
Will a cleanup break people’s access to files they actually need?
Not if it is done read-first. We map access, agree what is genuinely needed, then remove the rest with a full record. Every change is logged and reversible.
How does this connect to DPDP compliance?
DPDP asks you to control and demonstrate who can access personal data. Governance gives you the audit trail and the access posture a reviewer will ask for, instead of a scramble on the day.
200+ Indian businesses. Microsoft Partner.
P.S. Sudeep here. We ran this exact






