Is it feasible to escape Microsoft 365 in business and enterprises wo huge problems?

I have a small law firm (5 people). Like everyone else on the forum, I don’t like Microsoft for its practices and ethics. However, as is often the case, their product is the best in features and overall price. I was wondering if I should go with Microsoft 365 Business Standard or try FOSS options, something like LibreOffice + local host for backups or a Drive like Proton, etc. (and occasionally, if needed, GDocs, Teams, Zoom, etc.).

I was also considering using Microsoft Activation Scripts, even though it’s illegal, just to have the programs (I would use Outlook via IMAP/POP) since some employees might have a hard time adapting to something other than MS Office. The problem here would be that it wouldn’t have exchange, onedrive backpus, synchronization of calendars, contacts and such, which I don’t know if it would be a big loss (we don’t use them right now, but it might be a good idea to integrate them). I wouldn’t have OneDrive backups either, but then again, I sometimes question their value since I’ve never had a computer or local host fail, although I understand that the problem with local host + NAS + VPN is that it can be more expensive or time consuming to maintain. Also, I loose the potential easy use of live collaboration and sharing on docs, basically modernizating my enviroment.

Essentialy, the fear is the potential benefit in efficiency, time and money to the firm that I’d lose by not integrating the full Microsoft 365 Business solution for privacy and governance ideals, either today or if the firm grows someday. I imagine I could always continue using more private options for other things that don’t affect anything, like the browser. Is MS Office such a treacherous option for our ideals? Most of what I read on Reddit, or what I’ve already seen in a similar post here, is that it’s better to bet on M365. It’s a difficult debate for me, could you help me out? It’s M365 overall worth it in this context and much better value than just local MS Office apps?

For businesses it will be either M365 or Google Workspace. Other products are not fit for business usage especially privacy oriented ones

Thank you for your answer Bhaelros. I’ve read some of your posts on similar topics before. If it doesn’t bother, could you explain further?

Of course. To make your emails privacy friendly, like Proton or Tuta, all of your emails needs to encrypted, zero knowledge will be applied, and thus cannot be read by others, even by admins, right? So, how can you prevent a breach or leak? You need to control what your employees are receiving and sending.

I can speak for Microsoft 365. You have DLP (Data Loss Prevention) policies, Compliance policies, Threat Intelligence, Exchange rules, and many other things. But every policy has a requirement, which is to access your data directly. Google WS is doing the same. Also, considering you are a business customer, you can select your datacenter location. Yes, MS is US company, like Google, but your datacenter can be in Europe.

Also, when you enroll into M365 Business Premium or higher tier, you will have access to Intune, which is an endpoint management tool, a powerful one. That will increase your security. You can add application policies, web access policies (for Defender for example), application whitelisting and blacklisting, even control which apps can be installed, which sites can be accessed, and so on.

If you go with privacy friendly route, you can’t do that.

There is also the question for support. There is a lot of difference on support level between SMBs and Enterprises. When you open a case, even on weekends, Microsoft will call you back and provide support (I did it many times with my M365 Business Premium package). I can’t speak for Tuta because I have only a free account, but I am not happy with the support provided for my Proton Family sub, which was also decisive factor for cancelling my Proton sub.

Edit. I wrote it many times before but I will write again. M365 and Google Business products are totally different from consumer products. I won’t recommend anyone consumer grade products, even paid version (I am using Google One and M365 Family, that is another topic), but business product line is totally different.

I think for a small company you could manage not using 0365. For example, Proton offers a business suite of products. The big advantage with 0365 or Google is that most people are already familiar with it and its proven to work at scale but, with only 5 employees it should not be such a huge deal to train them to use something more privacy friendly.

I would do your due diligence and give Proton, or whomever you choose, reps a call and make sure they can offer the features you need for your firm.

I am sure your clients will appreciate that your firm prefers privacy friendly products where possible.

I can speak for my multinational super huge IT firm. Your emails will not even reach me. I don’t want to give out exact name of my company but you can guess from my previous whinings.

If you use any kind of encryption, add an encryption key, write something which even looks like an password, send an email from known personal email providers, your emails will be blocked. I won’t even see them.

My company has 330k employees and our IT security team has combined IQ level of parakeet, maybe parakeet has more IQ.

I am not sure how relevant all this is…

This sounds like your company just has awful network admins then something OP should be concerned about. Most companies deal with lawyers and other services (such as issues dealing with HR or finances etc) that require encrypted emails on a daily basis. These are not normal issues.

Encryption and confidentiality are done via Azure Information Protection and Azure Rights Management. If you send an encrypted email from an unknown source, like Proton for example, it will be automatically rejected. If you are a customer, then your domain needs to have a trust with our AD, which requires also M365.

I am not going to argue that Proton will be as widely trusted as O365 but I also don’t think its THAT big of an issue. I guarantee your company has support staff that release emails from new customers / services all the time. Its not like OP will be sending every email (regardless of content) encrypted or ignore other domain authentication best practices.

It sounds like you know your stuff. I guess I don’t see using Proton (a companny with 100 million users) as being that much of a blocking issue. Its totally something worth bringing up with Proton before deciding on using them though. That’s for sure.

Question will be, what are these users in Proton. Are they really active? How many of them are actually using the service? How many of them are business users? How many of them are paid users? etc etc.

Edit. I can’t even send emails from my own Proton email to my business email. They are blocking pm.me domains too.

I find this interesting as the current company I work for as well as my previous company, allow and accept proton domain email addresses. Sophos has quarantined respectable companies but allowed several from proton.

It could be regional acceptance but proton has a strong sender reputation and are normally recognized from Azure systems as trustworthy. I would think that extra flags were put in place to block these.

I would say your largest dilemma would be the office suite as MS is so engrained in every enterprise ecosystem it is almost impossible to not use excel. ODT format and csv are not as widely accepted compared to the entire MS or ADOBE documentation.

It could be “doable” but require extra steps that may hinder progress. Video + a “teams like” chat that is scaleable but requires decent IT knowledge would be a matrix client with Jitsi.

Trying all of it together with nextcloud to sync it all together would be easy enough for five but could become more difficult for a larger enterprise. I could see this working for 20 or less employees as I currently have a very similar setup for 5.

Don’t expect it to be seemless, expect plentiful training needed, a strong IT/networking background, and headaches from potentially incompatibility.

The reliance on the whole MS system is awful but almost a must in a large enterprise but doable for your team of 5.

Edit: sone grammar and spelling issues corrected. Also note live collaboration like you find with SharePoint is not available out of the box in something like libre office and requires additional work or addons

Is it feasible? Yes. I’ve done it for small and large companies. The challenge is not technical, it’s people. Cryptpad/nextcloud/mailbox.org can all replace O365 and Google Workspace without issue. In fact, they’re better on a technical level. You can also self-host nearly everything if you want to do so for privacy or just corporate compliance.

The challenge every time has been people. People don’t like change, especially non-technical people. Every company I’ve helped to freedom has a small handful of employees who make a huge noise about how “this one feature makes X better than this proposed solution”. Every time, it turns out the “one feature” is nonsense; they don’t like change and don’t want to have to learn something new. I’ve seen it in young and older employees, age doesn’t matter.

Most of these companies are in regulated industries, so changing is risky for them, but the payoff in control, reduced exploit/data leak surface, and financial gains is worth the risk in their calculation. In fact, you can bypass entire sections of audits by not having 3rd party hosted company-critical information.

As part of the people challenge, execs will challenge any change simply because “no one else I know is doing this”. Management are sheep and will follow the crowd because that’s what everyone else does. Circular logic abounds.

It takes executive management champions to push something like this through. It’s also not 100% either. Some places have developed Office/Workspace specific macros/code that will take longer to migrate. Chances are, python/javascript can do whatever is needed in most cases, and be put into proper production control systems (like versioning, code releases, QA review, etc).

Besides, part of Danish and German governments are doing it to get away from US Big Tech. Get in early! Join the new crowd migrating before it was cool!

It really depends on your requirements and workflow. Do you need to have file access from remote locations, will more people edit the same file at once, do you prefer web access or local programs, do you need to have secure communication and file-sharing with 3rd parties (clients, public administration), do you need MS office specific features (you already said Outlook is a must)

As others have mentioned, Microsoft and Google have different offers for business users, it’s not the same and privacy invasive as for private ones. But also, you are team of five, so it should be easier to use alternative, as such changes are constrained by people, not technology.

TBH, I don’t see much value in Microsoft’s offerings for small organizations, but I understand people are used to their products, and would like to keep them using. From my own experience, in 50 and 4000 people organizations, Nextcloud and Onlyoffice don’t look so weird and people won’t complain much. And there are also service providers who offer fully managed solutions. But as it’s not encrypted, you will not get better security, so reason to choose these is just to move away from MS or get another hosting location (not just EU, but could be specific country or Switzerland).

And as I mentioned in many other topcis - Syncthing is great

Thank you for your comprehensive answer.

I notice that you also understand me regarding how frustrating it is to want to escape from Microsoft… Someday

There is some useful information located

Several other have replied or added input into this as there are some government bodies attempting the transition away from MS.

Really thank you deimos.

I don’t have enough knowledge or experience (especially not working in IT) to argue with that. But, it’s interesting to see the contrast between what I read from you and the opinions expressed in both previous posts here and, specially, the consensus from this Reddit r/sysadmin post.

I truly appreciate your answer crossroads,

I want to move from outdated workflows to the possibility of modernizing them, to gain productivity while freeing up time for employees (and me) and increasing opportunities for growth. We don’t currently use this, we send each other emails when we make a change to something or review it (I know, Paleolithic, but this wasn’t my office) but perhaps starting to do so would greatly improve the office (what’s your take on this guys?). I don’t mind moving to Thunderbird or Proton in some future (but if I need MS Office it’s an add-up cost, also means to educate employees which are not any tech-savy). Finally yes, we probably need to collab with 3rd parties and of course with Justice Admin. (but the latest is mostly do with .pdf).

Personally, I think they are simpler, straightforward and can afford a more competitive price for all the set. I’m not sure if the solution with my own servers, NAS and LO or with Proton mail and Drive + LO + Cryptad or Collabora, something also to replace Teams, etc. will end up bringing me more headaches, friction and expense in IT support (I don’t have an IT in the office). And I have some knowledge, but not enough to be fast and manage myself without wasting time and being sure of everything I do (I’m probably one of the few lawyers who has touched a terminal, knows how to install Windows, apply GPO, change the SSD or RAM, install a ROM on the mobile, solve everyday problems from people using their pcs or who has a certain intuition and desire to not be a completely uneducated, etc., to cite silly examples, but I guess it’s not enough). Others also tell me that it’s important not to have everything encrypted so that employees can be audited, etc. You can also see what I say about what others seem to think about the problems this can cause in practice in the two quotes from my previous answer.

Yes! I’ve already read your response and participated in that post.

I love that they do it. But, I also think they might have it easier since they have a much bigger budget and IT team. And less vital consequence for screwing up.

Tbh I would say that I plan to use Proton and Threema for my company. Speaking from the personal experience of proton I really don’t think you will have a problem with it.
My custom domain was labeled External by companies with their own mail servers despite Proton being the provider for me but other than this That’s all I can really say. I may make a proton business for my small duo though.

This is the largest reason why MS is in the position that they are in. It comes bundled in enterprise with easy to setup systems with advanced helpers ready to assist if needed. When you take this on as an individual who’s primary role is not IT it can be daunting on your stress levels. you probably have other tasks that are far more important than troubleshooting issues.