Microsoft 365 Migration for a Healthcare Practice

This case study represents a typical engagement scenario based on common challenges we address for Melbourne healthcare practices. Client details have been generalised to protect confidentiality.

What was the situation?

A multi-disciplinary healthcare practice in South Melbourne with 40 staff — including GPs, allied health professionals, and administrative staff — was running on-premises Exchange 2016 and a Windows Server file server. Both were approaching end-of-life with no vendor support path.

The practice operated across two sites, and clinicians needed reliable access to email, patient correspondence, and shared clinical documents from both locations. The existing VPN solution was unreliable and created workflow bottlenecks.

A recent compliance audit had flagged concerns about data protection practices, specifically around patient data storage, access controls, and backup procedures. The practice manager needed to demonstrate improvements before the next audit cycle.

What problems did the on-premises setup create?

The aging infrastructure created several compounding issues:

• Maintenance burden — The Exchange server required weekly attention for patching, certificate renewals, and storage management. The previous IT provider billed hourly for this work.
• No cloud backup — Backups ran to a local NAS device in the same building. A fire, flood, or ransomware event would destroy both the primary data and the backup.
• Remote access failures — The VPN frequently disconnected, forcing clinicians to drive between sites for access to shared files and the practice management system.
• Licensing inefficiency — The practice was paying for on-premises Exchange CALs, Windows Server CALs, and separate Office licences. Several staff had licences assigned for roles that did not require the full suite.
• Compliance gaps — Patient data on the file server had no sensitivity classification, no access controls beyond basic folder permissions, and no audit logging.

How did we execute the migration?

We followed a staged migration approach to minimise disruption to clinical operations:

Week one — Assessment and planning. We documented the existing environment, mapped mailbox sizes and shared mailbox requirements, audited file server permissions, and designed the target M365 architecture. The practice manager approved the migration plan before any changes were made.

Week two — M365 tenant configuration. We provisioned Microsoft 365 Business Premium licences, configured Azure AD (Entra ID) with MFA enforcement, set up conditional access policies, and established SharePoint Online site structure mirroring the clinical, administrative, and management file hierarchy.

Weeks three to four — Email migration. Mailboxes were migrated from on-premises Exchange to Exchange Online using a hybrid cutover approach. Staff experienced no email downtime. Shared mailboxes, distribution lists, and mail flow rules were recreated in Exchange Online. SPF, DKIM, and DMARC were configured on the practice’s domain.

Weeks four to five — File migration. Files were migrated from the local file server to SharePoint Online (shared clinical and administrative files) and OneDrive (personal files). Permissions were reviewed and tightened during migration — removing broad access grants and implementing role-based access.

Week six — Security hardening and training. Data loss prevention rules were configured to detect and block external sharing of documents containing Medicare numbers, patient identifiers, and health information. Sensitivity labels were applied to clinical document libraries. Staff received two-hour training sessions on the new environment, split by role.

Week seven — Backup and validation. Third-party M365 backup was configured for Exchange, SharePoint, and OneDrive with 12-month retention. A full restore test was completed successfully. The on-premises servers were powered down and entered a 30-day parallel monitoring period before decommissioning.

What were the results?

The practice achieved full cloud operations with measurable improvements:

• 40% licensing cost reduction — Right-sized M365 licences replaced the combination of on-premises CALs and separate Office licences. Administrative staff received Business Basic rather than Business Premium, matching licence tier to actual usage.
• Reliable multi-site access — Clinicians access email, files, and Teams from any location without VPN. The practice management system was already cloud-hosted, so the migration eliminated the last on-premises dependency.
• Compliance audit passed — The next audit found no data protection deficiencies. Sensitivity labels, DLP policies, access controls, and backup procedures were all documented and evidenced.
• Zero on-premises server maintenance — Monthly IT costs became predictable with no hourly billing for server maintenance.