Enterprise cloud, Microsoft 365 and Azure. No billing surprises, no security gaps.

Cloud is no longer the destination — it's the starting point

Ten years ago, "going to the cloud" was a strategic decision discussed in committee for months. Today it's the foundation under any serious IT project: email, office productivity, collaboration, storage, backup, identity, data analytics. The question has changed completely — it's no longer whether to move infrastructure to the cloud, but how to do it properly so the bill doesn't double in 18 months, security is real rather than catalogue-deep, and users work better, not worse.

At Impulso Tecnológico we've been designing, migrating and operating cloud environments for mid-sized companies since before Microsoft 365 was called that. We migrated the first mailboxes to BPOS in 2011, moved them on to Office 365 when it was renamed, and now we govern them in Microsoft 365 with Defender, Purview, Entra ID and the whole surrounding ecosystem. The difference between a cloud that works and a cloud that weighs the business down isn't the tool — it's how it's designed, segmented, licensed and operated. That's what we do.

Microsoft 365: the common floor of the modern workplace

Microsoft 365 is probably the most complete platform on the market — and at the same time, the most under-used. Most companies that come to us are running three of the fifteen things they pay for: mail, Teams for video calls, and OneDrive as a personal disk. The rest (structured SharePoint, Power Automate, Defender, Purview, Intune, Entra ID Conditional Access) is paid for but switched off. Our job, before migrating anything new, is to turn on what the client already has and prove the return before suggesting more licences.

When there is a real migration, we run it with our own methodology:

• Pre-flight analysis: audit of the current state (on-prem Exchange, Google Workspace, plain IMAP…) and inventory of mailboxes, distributions, rooms, shared resources, calendars and rules. Without an inventory there's no clean migration.
• Wave-based migration: never everyone at once. We start with a pilot group, fix what breaks, then advance by department in planned windows — with mailbox coexistence so no mail is lost during the overlap.
• Baseline security activated from day one: mandatory MFA, blocking of legacy protocols (basic IMAP/POP/SMTP), Defender for Office 365 anti-phishing policies, audit log enabled and reviewed.
• User training at the moment of change: not PDF manuals nobody reads, but 3-minute micro-videos delivered on migration day showing exactly what changes in their daily work.

Microsoft Azure: infrastructure when you need it, not before

Azure is the other half of Microsoft's cloud, and the one that creates the most confusion in mid-sized companies. The distinction from Microsoft 365 is simple: M365 is software-as-a-service (you consume ready-made applications), Azure is infrastructure and platform as a service (you build what you need on top of machines, networks and managed services). At Impulso we deploy Azure when there's a real use case:

• Virtual servers for applications that don't fit a SaaS (proprietary ERP, specific engineering software, development environments, RDS / terminal server with per-user licensing).
• Managed databases (Azure SQL, MySQL Flexible, PostgreSQL) when the client wants to drop the engine maintenance burden but keep control over the data.
• Backup and disaster recovery with geo-replication for critical workloads — the immutable copy in Azure Blob is one of the strongest arguments against ransomware.
• Hybrid environments connected over ExpressRoute or site-to-site VPN, when there are physical servers that aren't ready to migrate yet (industrial printers, plant controllers, legacy infrastructure with dependencies).

What we don't do is deploy Azure as a fashion statement. If a workload runs better on a well-sized, properly maintained on-premise server, we say so. The cloud isn't the right answer to every question — it's the right answer to the right questions.

Licensing and FinOps: cloud gets expensive when nobody governs it

The big cloud secret — the one sales avoid mentioning — is that without financial discipline, the monthly cost grows silently until it doubles the planned budget. Virtual machines that no one uses left running, backups with no retention policy, E5 licences assigned to users who only need Business Standard, test containers running for eighteen months. At Impulso we apply a continuous FinOps model for every client:

• Monthly consumption review: executive report with cost per department, top 10 most expensive resources and proposed optimisation with estimated savings.
• Automatic rightsizing: real CPU/memory/disk usage analysis on Azure VMs to detect over-provisioning and propose resizing without affecting performance.
• Reserved Instances and Savings Plans: one- or three-year commitments for predictable workloads, with 30–65% discounts compared to on-demand pricing.
• Quarterly M365 licence audit: detection of inactive accounts, licences over-sized for the user's real profile, and alignment between what's billed and what's actually used.

Identity security: in cloud, identity is the new perimeter

When servers sat in a locked room, the perimeter was physical. In the cloud, identity is the new perimeter — which is why nearly every current attack starts with stolen credentials, not technical vulnerabilities. Our minimum baseline for any Microsoft 365 tenant includes:

• Mandatory MFA for 100% of users, no exceptions (executives and administrators included). Preferably with Microsoft Authenticator + number matching, not SMS.
• Conditional Access: policies that block sign-ins from unauthorised geographies, unmanaged devices, sessions Entra ID Protection flags as risky, or legacy clients with no MFA support.
• Privileged Identity Management (PIM): admin roles assigned just-in-time — a technician isn't global admin all day, they hold the role for the hour they need it for a specific task, with approval and audit.
• Defender for Office 365 Plan 2: advanced anti-phishing, sandboxing for suspicious attachments, simulated internal attacks for user training.
• Defender for Endpoint integrated with the tenant: Windows endpoints report to the same Security Center as the cloud, with automated response to indicators of compromise.

Microsoft 365 backup: what Microsoft doesn't do for you

A widespread and dangerous confusion: "If my data is in Microsoft 365, Microsoft does the backup". False. Microsoft replicates data to guarantee service availability (so mail doesn't disappear if a datacentre fails), but it does not protect against accidental deletion, insider threats, ransomware encrypting OneDrive, or human errors beyond its retention window (30–93 days depending on service). Backup responsibility sits with the customer. At Impulso we deploy Veeam Backup for Microsoft 365 as standard:

• Daily backup of mailboxes, OneDrive, SharePoint and Teams with configurable retention (one year minimum, legal retention where applicable).
• Storage on an independent cloud (immutable Azure Blob or S3 Object Lock) so even a tenant compromise can't wipe the copies.
• Granular restore: a specific email, an earlier version of a document, a Teams conversation, an entire SharePoint site.
• Documented quarterly restore tests. A backup that hasn't been tested is an assumption, not a protection.

Teams, SharePoint and OneDrive governance

Microsoft 365 with no governance is a jungle in six months: hundreds of teams created with no criteria, important files in the personal OneDrive of someone who's left the company, external access scattered without control, SharePoint sites with no owner. We design and roll out a governance framework adapted to each customer:

• Team creation policy with approved templates and a consistent naming pattern.
• Sensitivity labels (Purview) to classify confidential information and restrict external sharing.
• Periodic review of external access: inactive B2B guests, public sharing links, inherited access.
• Migration of personal OneDrive content to SharePoint when the document belongs to a team rather than a user.
• Automatic retention and deletion per document policy — aligned with GDPR and sector-specific regulations.

Support and operations: when cloud breaks, Monday at 9am

All of this architecture looks excellent in slide decks, but the reality is that cloud also breaks. A user is locked out of Teams in a meeting with a customer. An entire tenant loses connectivity after a botched DNS change. An E5 licence ends up unassigned because the billing plan changed. That's what our continuous cloud operations service is for:

• 9×5 support with sub-1-hour response SLA for critical incidents.
• Optional 24×7 on-call for environments where operations can't stop.
• Proactive tenant monitoring (Service Health, security alerts, usage anomalies).
• Multilingual support in Spanish, English and Portuguese — relevant for our clients operating across Iberia and international markets.

How we work

Every cloud project enters through a free assessment (1 hour, on-site or remote) → technical audit of the current environment and migration plan (1–3 weeks depending on volume) → closed-budget proposal broken down by phase → wave-based execution with no business downtime → ongoing operations with SLA, monthly FinOps and quarterly security review.

If your company has a critical cloud incident right now, call +34 91 505 7575. First response arrives in minutes, not days.