Replacing SMB File Shares with SharePoint: Security-First Migration Guide

Why file shares need to go

Every organization we work with has the same file share story: it started as a simple shared drive 15 years ago, grew organically, and now contains 5-50 TB of data with NTFS permissions that no one fully understands. The problems are well-documented:

• Security blindspots: NTFS permissions are difficult to audit at scale. Inherited permissions create access chains that grant unintended access. Departing employees' access persists because no one reviews file share ACLs systematically.
• No DLP enforcement: On-premises file shares sit outside the Microsoft 365 compliance boundary. Purview DLP, sensitivity labels, and retention policies do not apply. Sensitive data — PII, financial records, health information — sits unclassified and unprotected.
• Version control chaos: "Report_v3_FINAL_revised_FINAL2.xlsx" is the universal symptom. File shares have no native versioning, so users create copies, leading to version confusion, data loss, and wasted storage.
• Remote work friction: VPN-dependent file shares are slow for remote workers, incompatible with mobile devices, and create a two-tier experience where in-office employees have fast access and remote workers do not.
• Disaster recovery gaps: File share backups rely on on-premises backup infrastructure. SharePoint Online includes Microsoft-managed geo-redundant storage with 93-day recycle bin retention and Versions history.

SharePoint Online solves every one of these problems — but only if the migration is done correctly. A poorly executed migration creates a new set of problems: broken permissions, lost files, user revolt, and a "shadow IT" reversion to the old file share.

Phase 1: Discovery and assessment

Every EPC Group file share migration starts with a thorough discovery phase. You cannot migrate what you do not understand.

• Data inventory: We scan every file share using migration assessment tools to catalog total volume, file count, file types, file age distribution, and path lengths. This reveals how much data is stale (untouched for 2+ years), how much exceeds SharePoint's 400-character path limit, and how much contains file types SharePoint blocks (e.g., .exe, .msi).
• Permission audit: A full export of NTFS ACLs across every folder and file, resolved to effective permissions per user. We identify permission inheritance breaks, over-permissioned folders, orphaned SIDs (permissions for deleted accounts), and folders with more than 50,000 unique permissions (which hit SharePoint limits).
• Content classification: We identify sensitive data — Social Security numbers, credit card numbers, health records, legal holds — using pattern matching and Purview scanning. This data requires specific handling during migration (sensitivity labels, restricted access, retention policies).
• Stakeholder interviews: We talk to business unit leaders to understand how teams actually use file shares: which folders are active, which are archive, what naming conventions exist, and what the biggest pain points are. This informs the target information architecture.

Discovery typically surfaces 30-50% of file share content as stale (not accessed in 2+ years). We recommend archiving this to Azure Blob Storage cold tier rather than migrating it to SharePoint, saving both migration effort and SharePoint storage cost.

Phase 2: Permission mapping (NTFS to SharePoint)

Permission mapping is where file share migrations succeed or fail. NTFS and SharePoint permission models are fundamentally different:

EPC Group's permission mapping process:

• Group consolidation: Most file shares have dozens of AD groups with overlapping membership. We consolidate these into a clean set of Azure AD security groups aligned with business roles (e.g., "Finance-ReadWrite", "Legal-ReadOnly") before migration.
• Permission level mapping: NTFS Modify maps to SharePoint Contribute. NTFS Read & Execute maps to SharePoint Read. NTFS Full Control maps to SharePoint Full Control (reserved for site owners). Custom NTFS permissions are mapped to the closest SharePoint equivalent and documented.
• Inheritance break analysis: Folders where NTFS inheritance is broken require special handling. If the break exists because a subfolder has more restrictive access, we consider separate SharePoint libraries or sites. If the break exists because individual files have unique permissions, we redesign using metadata-based views instead of folder-based security.
• Validation with business owners: Every permission mapping is reviewed by the business unit that owns the content. This catches cases where current NTFS permissions are wrong (people have access who should not) and provides an opportunity to clean up before migration rather than migrating bad permissions.

Phase 3: Information architecture design

Migrating a file share's folder structure as-is to SharePoint is the most common mistake. File share structures are not information architectures — they are organic growth accumulated over decades. EPC Group redesigns the structure for SharePoint:

• Site hierarchy: Top-level sites per business function (Finance, HR, Legal, Projects) rather than mirroring the file server folder tree. Hub sites connect related sites for cross-functional search and navigation.
• Document libraries: Libraries organized by content type (Contracts, Policies, Project Deliverables, Templates) rather than nested folders. SharePoint's search and metadata filtering replaces the "browse through 8 levels of folders" workflow.
• Metadata taxonomy: Managed metadata columns (Department, Project, Document Type, Status, Year) replace folder nesting. A document tagged with Department=Finance, Type=Report, Year=2026 is findable without knowing which folder it lives in.
• Folder depth limit: Maximum 2-3 levels of folders within any library. Anything deeper is a sign that metadata should replace folder structure.
• Naming conventions: Standardized library and folder naming documented in a governance guide. No special characters, no spaces in site URLs, descriptive names that make sense to someone outside the team.

Phase 4: Migration tools and execution

EPC Group selects migration tools based on the engagement's complexity:

SharePoint Migration Tool (SPMT)

Microsoft's free tool handles file share to SharePoint migrations with basic permission mapping, scheduling, and incremental migration support. Best for straightforward migrations under 5 TB with simple permission structures. Limitations: no pre-migration reporting, limited error diagnostics, and no permission visualization.

ShareGate (Workleap)

Enterprise-grade migration tool with pre-migration assessment, permission mapping visualization, automatic permission translation, scheduling, throttle management, and detailed error reporting. EPC Group's tool of choice for enterprise migrations. The permission mapping report alone — showing exactly who will have access to what after migration — is worth the license cost.

Migration execution best practices

• Phased approach: Migrate by business unit, not all at once. This limits blast radius if issues arise and gives each team dedicated support during their cutover window.
• Incremental migration: Run the initial bulk migration, then run incremental passes daily until cutover. This ensures files modified between bulk migration and cutover are captured.
• Validation scripts: Automated comparison of source file count/size against destination. EPC Group runs hash verification on a statistical sample to confirm data integrity.
• Cutover window: A defined cutover window (typically a weekend) where the source file share goes read-only, a final incremental migration runs, validation completes, and the old file share path is redirected to SharePoint via DFS namespace or GPO-pushed shortcuts.

Phase 5: DLP policies and compliance

Once data is in SharePoint, it enters the Microsoft 365 compliance boundary. EPC Group configures:

• Sensitivity labels: Automatic labeling policies that classify documents containing PII, financial data, or health information and apply appropriate encryption, watermarking, and access restrictions.
• DLP policies: Microsoft Purview DLP rules that prevent sensitive content from being shared externally, copied to personal devices, or downloaded by guest users. Critical for compliance in healthcare (HIPAA) and financial services (SOC 2).
• Retention policies: Automated retention that keeps documents for required periods (7 years for financial records, 6 years for HR) and disposes of them after retention expires. Replaces the "never delete anything" approach that inflated file share storage for decades.
• Audit logging: Purview Audit captures every file access, share, download, and modification. Essential for compliance investigations and forensic analysis.

Phase 6: User training and adoption

The best technical migration fails without user adoption. EPC Group delivers role-based training:

• End users: How to find files (search vs. browse), sync libraries to File Explorer via OneDrive, co-author documents in real time, use version history to recover previous versions, and share files securely (internal sharing links vs. external guest access).
• Site owners: Managing permissions, creating views, configuring metadata columns, monitoring storage usage, and handling access requests. Site owners are the frontline governance enforcers.
• IT administrators: SharePoint admin center operations, PowerShell management, monitoring with Power BI usage analytics, and troubleshooting sync issues. Integration with the broader Microsoft 365 admin stack.

Training is not a one-time event. EPC Group provides 30/60/90-day check-ins after migration to address adoption issues, answer questions, and adjust the information architecture based on real usage patterns.

Common migration pitfalls and how to avoid them

• Path length failures: SharePoint's 400-character URL limit catches deeply nested folders with long names. Discovery phase identifies these; redesigned information architecture eliminates them.
• Blocked file types: SharePoint blocks .exe, .dll, .msi, and other executable file types by default. These are identified during discovery and archived separately or excluded from migration.
• Throttling: Microsoft throttles large migrations to protect service performance. ShareGate's intelligent throttle management and off-peak scheduling mitigate this. EPC Group coordinates with Microsoft support for large migrations to obtain temporary throttle relief.
• Timestamp preservation: Migration tools preserve file modified dates but not created dates. If your compliance or records management depends on original creation dates, this must be handled via metadata mapping during migration.
• User revolt: Users who have worked with file shares for 20 years resist change. Executive sponsorship, clear communication about why the migration is happening, and training that shows tangible benefits (search, mobile access, version history) are critical. Forcing the change without support leads to shadow IT.

Frequently Asked Questions