Finchloom has identified an opportunity within the marketplace to offer a managed service around some of the more templatized functions within Office 365, specifically onboarding, moves, adds, changes, and offboarding. These solutions are similar between smaller organizations and enterprises, but not exactly the same, and each are both easily scalable with a CSP like Finchloom.

It is also worth mentioning before I get too deep into this topic that this process is fully remote. Whether it be sending equipment to new hires, making changes for promoted users, or decommissioning machines and returning them to the organizations help desk, the entire process can be handled virtually regardless of where in the world your company or employees reside.

Enterprise Managed Services


With the enterprise organizations, there is generally a patented workflow that the business has organized and documented down to the step. They know every person, piece of equipment, and department that needs to be involved with onboarding, whether it be procuring the hardware or notifying HR. This workflow is established to set up accounts within Office 365, provide the appropriate permissions for the role, etc. These workflows are all created in whatever ticketing system the business uses or would like to use. We at Finchloom are completely malleable in this regard, we will use whatever system the business would like us to use, and will act on tickets when they reach the appropriate point for our team to step in. Finchloom appears as part of the internal organizations help desk but in an automated sense. The business initially kicks-off the workflow and then can completely forget about it until they receive confirmation that the workflow has been completed.

For onboarding, the process begins with the establishment of an Active Directory account. Once created, we go over the permissions associated with the account, the level of access is within the environment (specifically teams that are required and distribution lists that the user should be added to), and additional permissions within the organization that tie the user to a specific location or groups within the organization as appropriate to the department.

We will also confirm that the users receive their hardware, are able to log in, and receive all the access they expect to. There is a touch component involved with each section of our Microsoft 365 Admin Managed service, whether it be reaching out to the user via telephone support, desktop sharing, or a Teams meeting. More involved access (like network access) is also provided where permissions don’t appear to be defined. Generally, we identify this step before it happens, but if there are more involved requirements, we update the ticket and move it to the relevant group for triage and resolution.

This service is also able to extend into other services such as mail and file maintenance, and similar offerings within Exchange in SharePoint. As of today however, we have primarily seen that many of our clients are more focused on the ongoing maintenance of user accounts and the permissions associated.

To put a bit of analogy behind this service, Finchloom provides housekeeping to user accounts. We are not the ones building the house or determining what the structures need to be set, but once it’s in place our team comes in and keeps things running the way that they’re intended to be. As architectural changes are needed, they can always be passed off to other members of the team or handled within a project with Finchloom, but the admin managed service is here to create and decommission user accounts, make additions to shared mailboxes and shared resources within Teams and SharePoint, and similar lower-level tasks freeing up the internal IT department.

Moves, Adds, and Changes

What happens when a resource is promoted or moved within the organization? These changes, like onboarding, also need to be accounted for and recorded within the business systems to see that they are approved by the standard review and approval process. Moves, adds, and changes all start another workflow. Finchloom, offering the admin managed service then acts on all the tickets submitted each month for moves, adds, and changes, and removes that responsibility from the standard help desk so that they can focus on the more involved and less templatized tasks that they need to address daily. Instead of dealing with administration changes and issues, the help desk is now free to help users that are having issues connecting, with their machines, etc. where there’s an in-depth triage process. The leadership of the help desk can focus on these daily tasks now that the templatized tasks are happening in the background and not debilitating their resources with a consistent workflow.

As stated in the onboarding section, we can move the ticket to the proper groups for more specific permissions and changes, but we never release the ticket from our visibility. When a business puts this ticket into our workflow and we’ve owned it, we also own the management of the other teams, reporting and ensuring that the tickets are being worked on to keep up the SLAs, and making sure the ticket is returned to Finchloom so that we can complete our components. There is an additional level of ticket oversight and workflow oversight that we add as an additional value contribution to the organization for entrusting us with this significant number of tickets and workflow.

This is a great tool for enterprise organizations where the number of users can range from 500-25,000 people. For larger organizations, the ticket volume for moves, adds, and changes is generally very high, (somewhere around 1,300 tickets a month on average) and it creates a very intensive workload that we can stay consistent and focused on so that, again, it does not debilitate the company’s internal help desk.


Offboarding of employees is typically a sensitive type of ticket and workflow because it must be very well timed. This is another opportunity for enterprises to empower Finchloom with the ability to ensure that these things happen on time and as expected. Within tickets for offboarding, there is a specific time where permissions need to be cut off. Companies either have granted Finchloom those permissions, or we work closely with the security administrators within the client-side organization to make sure that it’s it is scheduled and occurs in a timely manner. The workflow then begins with the receipt and decommissioning of the hardware.

We ensure that all the hardware’s been returned, reallocated, and either put back into the businesses asset management system or received by the appropriate groups within the customers organization (generally the service desk for reimaging and redistribution). We also confirm that the permissions have been turned off, the account spend is decommissioned, and any other items have been removed/changed (for example sharing existing documentation from the decommissioned user with the appropriate new recipient, like email forwarding). In the case of email forwarding, we also must remove the offboarded user from distribution groups so that the new user is not inundated with emails that are not actionable by that specific user. Furthermore, we action on the somewhat standard items like granting access to OneDrive and Teams where there may be messages coming to that specific user who has now left the company and needs a new user to see their old information.

Small to Medium Business Managed Services

Small to medium sized organizations who do not have an IT Department still need help administering and maintaining the security of their small tenants or their organizations. This process (at least initially) is a bit more involved as usually it is not as templatized as enterprise businesses. All the steps in the enterprise section above are similar for small and medium businesses but require a few additional first steps in terms of documentation.

One of the initial priorities of our managed service for smaller businesses is to create the templates to work off, for example a run-book for each of the different action items that will happen with a particular customer. In this regard, it does begin to more closely resemble a standard managed service or service desk offering because we do a significantly higher amount of discovery so that we can better understand the customer tenant and environment to perform our job.

This is a large value add to our customers because we take ownership for maintaining their security levels through the initial assessment and the definition of these processes. With this, our offering becomes more of a traditional managed service and enables businesses to offload user administration. For many smaller organizations, this becomes administration as a service in many regards.

The process generally is front loaded with a small project that includes discovery, configuration, and in some cases, deployment of additional software packages around the administration of the end users. In most cases, we will deploy Endpoint Manager and Autopilot for updating and deploying software packages and hardware for users.

This service puts Finchloom’s expert eyes on the client environment and enables us to provide assurance to the organization that things are being looked at every time somebody enters or leaves. We have also designed an annual security assessment for smaller customers, where we identify what should be looked at according to the size and industry that the company operates in.

How Finchloom can help

Regardless of business size, Finchloom will partner with your organization to ensure that your IT needs are taken care of. Whether it be completing only the onboarding, moves, adds, changes, and offboarding, or creating the system to templatize your IT processes, we can help. Our team of Microsoft experts are available to our clients for a variety of uses and will strive to keep your organization and IT processes secure and up to date. If you are interested in learning more about Finchloom’s Microsoft 365 Admin Managed Service or would like to speak to a Finchloom representative, please reach out by clicking the link here. As always, thank you for reading!

P.S. Finchloom will be hosting a webinar next week on the topic of Defender for Endpoint. If you would like to learn more and/or register, please click here!