Here’s the uncomfortable truth: Zero Trust is not the strongest security model. And giving every user total freedom isn’t the most productive option either. Both extremes are broken. If your M365 setup leans too far in either direction, you’re leaving gaps—or grinding productivity to a halt. In this workshop, I’ll show you how top-performing organizations hit the sweet spot: a perfectly tuned system where CISO, GDPR officer, and everyday user are all satisfied. The tradeoffs may surprise you, and the solution usually isn’t where most IT pros start looking.Why Extremes Always FailWhat happens if you go all in on Zero Trust or let users roam free with unlimited access? In practice, both of those choices end up creating more problems than they solve. On paper, Zero Trust looks perfect—it promises a world where every access request is inspected, validated, and logged. Nothing moves without constant checks. The framework sounds airtight, and security teams love the neat diagrams vendors put in front of them. But the reality of running it inside a production environment hits much harder. Each one of those trust decisions translates into real policies, prompts, and denials that ordinary employees need to fight against just to get their work done. Think about what it feels like for someone on the marketing team trying to launch a campaign under strict rules. Every time they log in, they’re hit with extra verification screens. They try sharing a file externally, and it bounces back. They go to approve an ad buy, but the system blocks the unfamiliar IP of the agency. Before long they’ve spent more time emailing IT than working. What looked like “tight security” in a governance meeting turns into delayed projects, frustrated staff, and managers asking why everything takes twice as long now. It’s the digital version of walking through an office where every single door has its own unique key. Not only do you need to carry a giant ring with dozens of keys, but you’ll also end up stuck in hallways because you can’t find the right one. In theory, each door has its own lock, so only the right people get in. In practice, people end up propping doors open with chairs just to move around and do their jobs. That’s not better security, it’s a workaround created by frustration, and it undermines the whole system. Now look at the opposite extreme where every user enjoys total freedom. Maybe IT is tired of approvals, so they just hand out admin rights across the board. At first, it feels amazing. Install whatever you need, fix your own problems, no more waiting. But it doesn’t take long before an employee clicks the wrong link, installs infected software, and suddenly ransomware is encrypting shared drives. The same freedom that felt empowering quickly turns into a wildfire spreading through systems that were supposed to stay protected. By giving everyone a key to the entire building—including the server room—you’ve essentially invited attackers to do whatever they want with no barriers in place. Plenty of IT teams have lived through both of these scenarios. Some remember the six-month Zero Trust rollout that clogged workflows so badly that leadership demanded half the rules be rolled back. Others remember the “everyone’s an admin” decision that ended with entire environments rebuilt from backup after an attack. Both groups reach the same conclusion: there’s no shortcut where you simply pick one side and declare victory. These extremes consume countless hours, either by dragging down productivity or by forcing frantic damage control after a breach. It’s a natural question—if each approach fails, why can’t we just optimize one until it works? The trouble is that the system doesn’t allow it. Security, compliance, and usability are tied together like communicating vessels. Strengthening one without regard for the others just shifts the pressure around until something bursts. If you crank security to the maximum, workflows collapse. If you open access to the point of ease and comfort, risk spills over everywhere. Neither model can hold on its own because the environment wasn’t built for absolutes—it was built with interconnections across identity, applications, and endpoints. So the message becomes clear. Balance isn’t some optional luxury you add when time allows. It’s the operating principle required by the way these systems are designed to function. Extreme security breaks people. Extreme freedom breaks systems. The sustainable approach is finding that middle path where policies protect without paralyzing, and where productivity thrives without opening major attack surfaces. And while theory often talks in big frameworks, most organizations don’t fall apart at that high level. They break first in the day-to-day execution. The settings that promise safety often live hidden away in the very tools administrators use. Which means if you want to see where the balance tips too far, you need to look at the admin portals.The Hidden Impact of Admin PortalsThe most overlooked place where security clashes with productivity is sitting right in front of admins every day—the portals. Most end users will never log into them, but the settings chosen there ripple through everything they touch. The Teams call that won’t connect, the Outlook sign-in that suddenly stops, even OneDrive sync failing out of nowhere—underneath almost every one of those headaches is a portal configuration someone changed thinking it was a small tweak. For admins, toggling one control feels harmless. For the user base, that one toggle can rewrite an ordinary workday in ways that nobody predicted. It’s easy to forget how tightly connected these portals really are. An admin working late might tighten up a sharing policy in SharePoint Online. They’re thinking they’ve just blocked risky external access. The next morning, a legal team trying to send draft contracts to outside counsel discovers their links don’t work. Marketing drops a file into Teams for a partner and sees an access denied screen. Everyone assumes the system is broken, but the only thing that happened was a checkbox click that cascaded into dozens of blocked scenarios. That disconnect between intention and result is where frustration begins to grow. It helps to picture it like making an adjustment to your car’s steering wheel, only to find out afterward that the brake pedal stopped responding. The changes don’t live in isolation. In M365, one security control can silently overlap with another, creating side effects even the admin didn’t expect. You thought you were just tightening steering to make the drive safer, but you can’t bring the car to a stop. That’s how quickly a well-meant setting becomes a problem that pulls attention away from actual business goals. Most administrators don’t set out to make life harder for their users. They’re following best practice guides, running compliance checks, and responding to pressure from the security side. The misstep is treating policies like isolated switches instead of system-level dials. It’s the difference between turning down a single light in a room versus rerouting the building’s entire power system. The action is simple, and it feels like a win in the admin interface, but the outcome is far bigger than the admin ever sees on their screen. Take something as basic as Multi-Factor Authentication prompts. Adjusting them looks straightforward—you decide that push approvals should trigger more often, so you raise the frequency. In the portal, the change looks minor, almost invisible. The knock-on effects, though, land with travelling employees who suddenly find themselves locked out of their mailbox in the middle of an airport lounge, unable to clear the prompt because they don’t have stable connectivity. Support tickets flood in, productivity slides, and all of a sudden the extra safety you introduced to increase trust is being treated as a nuisance bordering on a system outage. From a CISO’s chair, that policy change might look wonderful. More prompts mean a stronger barrier against credential abuse and better numbers to report back to the board. From the perspective of the employees, however, the same change feels like a tax on every single login. You wanted friction for the attacker, but the person feeling it every hour of the day is your own staff. That’s the imbalance many organizations stumble into—the goals of security appear aligned on paper, but the human side is paying the actual cost with frustration and time lost. When you look at it this way, it becomes obvious that portals aren’t neutral tools. They either amplify productivity or suppress it, depending on whether settings complement each other or clash. Treating them as a collection of simple toggles underestimates the ripple effect each one has. The truth is, every change shifts the whole system, even if the designer didn’t intend it to. The challenge isn’t picking the most secure checkbox; it’s predicting the interplay between those checkboxes across SharePoint, Exchange, Teams, and identity policies. Optimizing the portals means shifting the mindset away from isolated settings and toward viewing them as a network. A decision that helps security in one corner isn’t a real win if it blocks three workflows in another. What matters is making the settings work together so employees can move without hitting constant obstacles. When that balance is struck, users often don’t even notice the portals exist at all—which is the real mark of success. Security is operating in the background, compliance can pass an audit without drama, and no one feels like they’re battling their tools just to meet a deadline. That’s why the portals become such a critical battleground. Ignore their role, and you end up with accidental roadblocks. Treat them as interconnected, and you unlock the very balance between safety and efficiency that everyone is chasing. But of course, portals are only the first layer. The real tension surface
Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-show-podcast--6704921/support.
