Q: We already use Google Workspace. Why would we switch?
The honest answer depends on your situation. If your business processes personal data — employee records, customer contracts, financial data — Microsoft 365 has a structural advantage for DSGVO compliance in Germany. Microsoft's Data Processing Addendum commits to EU data processing, EU datacentre residency for business data, and GDPR Article 28 compliance out of the box. More practically, DATEV integration, beA (electronic attorney mailbox), and the majority of German accounting, payroll, and industry-specific software is built for the Microsoft ecosystem. Google Workspace works well as a standalone productivity suite; it does not slot into the German business software landscape the same way.
Q: Which plan do we actually need?
For most DACH small businesses, Microsoft 365 Business Premium is the right answer. It includes everything in Business Standard (Teams, SharePoint, Exchange, OneDrive, the Office apps) plus Microsoft Intune for device management, Microsoft Entra ID P1 for conditional access, and Microsoft Defender for Business. The jump from Business Standard to Business Premium is roughly €8 per user per month. The security capabilities you get in return — particularly Defender for Business, which provides endpoint detection and response — would cost significantly more if purchased from a third-party security vendor.
Business Basic covers email and Teams only — no desktop Office apps. It works for staff who work primarily in a browser, but for any role that produces documents, spreadsheets, or presentations, it creates friction and workarounds that cost more in lost productivity than the licence saving.
Q: Can Microsoft 365 replace our file server?
Yes — and for most companies under 200 people, it should. SharePoint Online and OneDrive for Business together handle everything a traditional Windows file server does, without the hardware, without the maintenance, without the backup infrastructure, and with better access controls. The migration requires planning — particularly around folder structure, permissions, and the habit change for employees used to mapped network drives — but the technical lift is manageable.
The BSI IT-Grundschutz module SYS.1.6 (cloud server) and OPS.1.2.5 (remote access) both support the shift to cloud-hosted file storage provided the configuration follows the applicable security requirements. Microsoft's documentation maps these requirements to SharePoint and OneDrive configuration options directly.
Q: What does NIS2 mean for our Microsoft 365 setup?
The NIS2 Directive was transposed into German law as the NIS2UmsuCG (NIS2-Umsetzungsgesetz) in 2024. It significantly expands the scope of companies subject to cybersecurity requirements compared to the original NIS Directive. Many companies that previously fell below the threshold — particularly in manufacturing, logistics, food production, and digital services — now fall within scope.
For a Microsoft 365 tenant, NIS2 compliance translates into several concrete technical requirements: MFA for all administrative accounts (and ideally all user accounts), logging and monitoring of security events, documented incident response procedures, and supply chain security assessments. Business Premium includes the tools to meet all of these requirements — Entra ID Conditional Access for MFA enforcement, Microsoft Defender for Business for endpoint monitoring, and Microsoft Purview Audit for event logging. The tools are there; they need to be configured correctly.
Q: How much does Microsoft Copilot actually cost and is it worth it for small businesses?
Microsoft 365 Copilot is an add-on at approximately €28.10 per user per month (as of mid-2025 EUR pricing). It is not included in any Business tier plan and requires Business Standard or higher as a prerequisite. For small businesses, the return on investment depends heavily on the role. For executive assistants, marketing writers, project managers, and anyone who spends significant time drafting, summarising, or searching through documents and emails, the productivity gain is real and measurable. For staff who primarily do data entry or manual work, the ROI is much lower.
A sensible approach is to start with 3–5 licences for the heaviest knowledge workers, measure actual usage over 90 days, and expand based on evidence rather than assumption.
Q: What are the most important security settings to configure on day one?
In order of impact:
- Enable MFA for all users — via Entra ID Security Defaults or Conditional Access policies. This single change blocks the vast majority of account compromise attacks.
- Block legacy authentication protocols — in Exchange Admin Center, disable Basic Auth. This prevents attackers from bypassing MFA by using older email clients.
- Enable Microsoft Defender for Business — onboard all Windows devices and enable the default protection policies. Takes about 30 minutes and provides enterprise-grade endpoint protection.
- Configure SharePoint external sharing settings — by default, SharePoint allows sharing with anyone who has the link, including anonymous external users. Most businesses should restrict this to authenticated users only.
- Set up Microsoft 365 Backup or a third-party backup solution — Microsoft's recycle bin and version history are not a backup. Ransomware that encrypts files and waits 30 days before activating will outlast both.
Q: How do we manage devices for remote staff?
Microsoft Intune (included in Business Premium) is the answer. It lets you enrol company-owned and employee-owned devices, enforce encryption, require device compliance before accessing company data, and remotely wipe a device if it is lost or stolen. For staff working from home on personal laptops, Intune's App Protection Policies let you protect company data in Outlook and Teams without managing the entire personal device — a sensible balance that employees accept much more readily than full device management.