Post-Migration Security & Governance Cleanup: What Most Teams Miss (2026)

Post-Migration Security & Governance Cleanup: The 30-Item Checklist

After EPC Group's 200+ Microsoft 365 migrations + tenant consolidations, the same 30 items repeatedly get missed in post-migration cleanup. Each one creates compliance exposure, license waste, or security risk. Use this as your post-cutover audit checklist.

Identity + Access (8 items)

1. Orphaned guest accounts from B2B coexistence. External guest accounts accumulated during cross-tenant transition periods. Audit + remediate any with no recent sign-in.

2. Service account inventory + rotation. Service accounts proliferated during migration tooling (ShareGate, AvePoint, Migration Manager). Rotate credentials + audit ongoing necessity.

3. Privileged role assignments from migration era. Migration consultants + tooling required elevated permissions. Revoke + transition to least-privilege.

4. Conditional Access policy drift. Different tenants' policies merged into post-migration tenant. Review + simplify to unified policy set.

5. Microsoft Entra Identity Protection sign-in risk policies. Default policies during migration are often relaxed. Restore production-grade risk thresholds.

6. Just-in-time (PIM) elevation requirements. Migration era often had standing elevation. Move to JIT activation.

7. Customer Lockbox enabled. Required for FedRAMP + many compliance frameworks. Often disabled during migration.

8. Break-glass account procedure tested. New tenant = new break-glass account. Document + quarterly tabletop.

Data Classification + Retention (6 items)

9. Sensitivity label coverage. Container labels applied to all consolidated sites. Verify autolabeling rules trigger correctly across migrated content.

10. Sensitivity label cascade behavior. Test label cascade from container to file. Migration often breaks the chain.

11. Retention policy operational. Verify retention labels apply to migrated content per content type + jurisdiction.

12. Litigation hold transferred. Any pre-migration litigation holds (eDiscovery) MUST transfer to new tenant. Audit + verify.

13. Default sensitivity labels per site. Container labels enforce default sensitivity on new content. Configure per business unit.

14. Microsoft Purview Audit (Premium). Audit log streaming + retention extended to 10 years (default 90 days). Required for SOX + many compliance audits.

SharePoint Hygiene (5 items)

15. Oversharing audit on migrated content. Run sensitivity scanner. Top oversharing exposures: financial year-end, M&A targets, executive comp.

16. SharePoint site permissions inheritance. Migration often breaks inheritance. Re-establish hub-and-spoke permission model.

17. Search vertical configuration. Migration breaks search verticals. Reconfigure result sources + refiners.

18. SharePoint hub topology consolidation. Multi-tenant migrations often produce overlapping hub topologies. Consolidate to 1 logical structure.

19. Modern site templates + branding. Brand assets from acquired subsidiaries should be retired or merged into parent brand system.

Microsoft Teams Cleanup (3 items)

20. Orphaned Teams from migration coexistence. Teams created for cross-tenant collaboration during transition. Decommission + archive.

21. Teams external access policy. Different settings per source tenant. Unify under parent tenant policy.

22. Teams compliance recording policy. For regulated industries: verify recording + retention transferred.

Microsoft Intune + Endpoint Management (4 items)

23. Endpoint compliance policy unification. Different baselines across source tenants. Unify to parent tenant baseline.

24. App protection policy review. Mobile app protection often relaxed during migration. Restore production posture.

25. Conditional Access integration with Intune. Verify device compliance is required for sensitive resource access.

26. Autopilot profile inventory. New device enrollment profiles for the consolidated tenant. Decommission source-tenant profiles.

Power Platform Hygiene (2 items)

27. Power Platform environment cleanup. Source-tenant environments (Default, Production, Sandbox) need decommission or migration to parent.

28. Power Automate flow ownership. Flows owned by service accounts or departed users. Reassign + audit.

License + Cost Optimization (2 items)

29. License rationalization. Duplicate E5 + add-on assignments from cross-tenant transition. Reclaim + reassign.

30. Storage quota review. SharePoint + OneDrive storage consumption post-migration. Right-size + decommission unused.

How to Operationalize This

Recommended cadence:

• Day 30 post-cutover: items 15, 16, 17 (SharePoint hygiene)
• Day 60 post-cutover: items 1-8 (identity + access) + 23-26 (Intune)
• Day 90 post-cutover: items 9-14 (data classification + retention) + 27-30 (Power Platform + licensing)
• Quarterly: full re-audit + drift remediation

EPC Group productized engagement: Post-Migration Cleanup Sprint — 4-8 week engagement covering all 30 items + drift baseline documentation. Typical: $80K-$200K depending on tenant complexity.

Frequently Asked Questions

Q: How many of these 30 items does the typical organization miss?
A: 15-22 of 30 in our post-migration audits. The most commonly missed: items 4, 7, 10, 12, 18, 23, 27.

Q: Can we do this with internal IT only?
A: Yes if you have senior SharePoint + M365 admins. Most organizations engage EPC Group for the first cleanup sprint + transfer knowledge to internal team for ongoing maintenance.

Q: How long does the full cleanup take?
A: 4-8 weeks for the discrete items. Some items (#9 sensitivity label coverage, #15 oversharing audit) extend into ongoing programs.

Q: What about Copilot deployment post-cleanup?
A: Strongly recommended. Items 9, 15, 18 are Copilot prerequisites. See /services/copilot-governance-consulting.

Q: Why EPC Group?
A: 29 years Microsoft consulting + 200+ post-migration cleanup engagements. Microsoft Solutions Partner with all six designations under the Microsoft AI Cloud Partner Program. Microsoft Press author. See /reviews.

Next Steps

• Schedule discovery: /contact
• Productized assessment: /services/sharepoint-oversharing-permissions-audit
• Ongoing governance: /services/sharepoint-governance-consulting
• M&A specific: /services/m-and-a-tenant-migration-assessment
• Call (888) 381-9725