Enabling Remote Teams with Teams and Intune 

Remote working has now become a stable business model for many businesses. Your people work from home offices, coffee shops, and client sites, potentially using devices you don't control, accessing systems that need to remain secure. Most businesses bolted on remote access during the pandemic and called it done. That approach created security gaps, compliance headaches, and support costs that spiral as your team grows. Microsoft 365 gives you the tools to do remote working properly, but deployment matters. 

The Remote Working Infrastructure Gap 

Your finance team typically use desk phones. Sales typically prefer using personal mobiles. IT configured each laptop manually as per the specifications of the individual/dept. Reception transfers several calls to empty offices because everyone utilises a hybrid or working-from-home policy. 

Meanwhile, you're paying for a traditional phone system maintenance package, mobile phone allowances, and Office 365 from Microsoft, licenses that most people barely use beyond email. With leavers, IT can spend hours removing access across disconnected systems as centralised management is not available. When someone joins, provisioning takes days, procuring licenses, setting up, and configuration, etc. 

The bigger problem, Security? Data on unencrypted personal devices. Limited ability to enforce IT & Company policies and Legal Requirements. Little visibility into who accessed what from where. 

Compliance risks you can't easily quantify, except when the worst happens. Loss of business, irrevocable reputation damage, loss of sales, loss of suppliers and substantial fines all await those who do not take compliance risks seriously. Support costs are growing faster than headcount. Multiple bills for similar or overlapping functions, leading to the reinvention of the wheel 

What Prevents a Good Implementation 

Device Chaos Without Controls 

IT configures each device manually - half a day per laptop. Limited automated security checks. No ability to conduct a remote wipe. When people use their own devices (known as BYOD), visibility into security is minimal and enforcing basic protections becomes impossible. 

Devices that started secure can become vulnerable over time. When ransomware hits, quickly isolating infected devices becomes challenging. 

Teams Deployed, Telephony Forgotten 

You bought Microsoft 365 business licences. Turned on Teams for in-house meetings and sending occasional messages. That's a fraction of the available functionality. 

Meanwhile, you're still paying: 

• Desk phone maintenance (thousands annually) 

• Mobile allowances (£40-60 per user monthly, often uncontrolled) 

• Separate conferencing subscriptions (duplicating Teams capabilities) 

Your teams find that transferring calls between systems isn't straightforward. Voicemails go to three different places. and getting multiple departments aligned on call routing is always an ongoing concern. 

The "Good Enough" Trap 

"We'll migrate when the contract expires." Each month embeds practices that become harder to change. Your desk phone contract auto-renews for another three years. Mobile allowances creep upward.  

Then your vendor announces they're stopping support, and the timeline accelerates uncomfortably, outside the agreed IT Budget. 

Missing Expertise and Capacity 

Your IT team keeps things running day-to-day. Planning telephony migration without disruption, designing security policies that balance protection with usability, coordinating number transfers across multiple providers whilst maintaining service - these aren't tasks you want to learn through trial and error on live systems under time constraints. 

Getting it wrong means poor customer experience, service outages, security gaps, or all 3. Most businesses underestimate the specialist knowledge required until they're halfway through attempted deployments. 

Building a Suitable Remote Infrastructure 

Four key areas requiring attention. Each requires specialist knowledge to implement correctly. 

Device Management 

Scoping and setup: What devices require access to Teams? What security standards/policies will apply? Creating baseline configuration(s) that work across departments and hardware requires understanding both technical constraints and business workflows. Many businesses skip the requirements gathering step and are forced to reconfigure everything on the fly. 

Automation: New employee starts Monday. Laptop arrives configured. Getting Microsoft Intune automation right means configuring policies, Autopilot profiles ensure correct configuration irrespective of role, application deployment rules, and conditional access. Whilst this all seems easy to say, each part has its own dependencies and potential failure points, ensuring you have the skills to understand and overcome these issues is key. 

Security enforcement 

• Encryption required 

• Firewall enabled 

• Passwords minimum of 12 characters 

• Antivirus current 

• OS updated within seven days 

Non-compliant devices get flagged and fixed automatically where possible. Employees can no longer ignore updates. Force updates after giving the user the chance to install them ensures compliance and security. Restrict their access until they install the updates. 

Incident response  

• Lost device? Remote wipe capability.  

• Employee leaves? Remove access from everywhere.  

• Personal devices? Remove company data, leave personal files behind. 

Phased deployment Test with 20-30 people first (three to four weeks). Then roll out one department per month. Rolling out 200-500 devices takes two to three months with experienced deployment teams. This requires dedicated project management and technical expertise to handle issues as they emerge. 

Teams Telephony 

Number porting: Keep your existing numbers and move to Teams. The porting process involves provider coordination, ownership validation, service continuity planning, and scheduled cutover windows. Mistakes mean lost calls and angry customers. 

Call routing:  Auto attendants and call queues replace reception systems. "Press 1 for sales, 2 for support, 3 for accounts." Setting this up properly means understanding call flows, designing routing rules, configuring overflow handling, and testing thoroughly. 

Integration: Click numbers in Outlook to dial. Transfer calls between devices (laptop to mobile and mobile to desk phone). This requires correct policies across Teams, Exchange, and Azure Active Directory - get one wrong and features break in non-obvious ways. 

Costs and reliability: 2,000 minutes per person monthly, pooled together. Therefore, a team of 50 gets 100,000 shared minutes. 99.9% uptime. Encrypted calls. No hardware to maintain. 

Timeline: three to four months for 50-100 users with specialist deployment support. Attempting this internally typically doubles the timeline while pulling your IT team away from everything else. 

Security Policies 

Eight policy areas require configuration: 

Authentication: Two-step verification for everyone should already be standard for your organisation. Conditional access policies allow you to relax security when in a secure environment and increase security when you’re not. Understanding Microsoft's authentication stack, policy precedence, and exception handling is key to ensuring security where needed. 

Access control: Minimum required permissions per role should be standard practice, ensuring no one has more access than they should have or need to have. Implementing this across hundreds of users and dozens of applications takes careful planning. 

External access: External access has been the critical element in recent high-profile breaches. Therefore, having policies covering who invites external people? What can they see? How long do permissions last? This is no longer about inviting suppliers and customers to collaborate. It’s now something that requires policing.  

Retention: How long to keep Teams messages, recordings, files? Financial services: seven years. General business: three to six years. 

Document protection: Mark as confidential, internal, or public. System applies encryption and restrictions automatically based on your selection and setup of your tags.  

Communication barriers: Stop specific groups from communicating when needed. Relevant for professional services with client conflicts or regulatory requirements. 

Teams governance: Who creates channels? What naming rules should be adhered to? When to archive unused ones? 

Monitoring: Document the incident response plan, ensure this is shared with relevant people so everyone knows where it is and can run this in conjunction with others, test regularly and make any amendments as necessary. Monitor access logs for suspicious behaviour. Regular policy reviews and audit records are maintained to maintain security and ensure new features are responsibly protected and used.  

Deployment Approach 

Pilot phase: 20-30 users across departments. Deploy, gather feedback, refine. Running effective pilots requires dedicated project management and technical support that most internal teams struggle to provide alongside day-to-day responsibilities. 

Sequential rollout 

• Month one: Finance (People who are comfortable with technology, who will provide helpful feedback) 

• Month two: Operations (tests different usage patterns) 

• Month three: Sales (heavy phone use stress tests systems) 

This staged approach only works with proper support during each phase. Without dedicated deployment expertise, departments get stuck waiting for help whilst previous rollouts still need stabilisation. 

Champions programme: Identify enthusiastic people in each department. Train thoroughly. They answer colleagues' questions and provide hands-on help. However, Champions need expert backup - they're not trained deployment specialists. 

Adra used Champions with specialist deployment support, significantly improving adoption and reducing support burden. 

Training and support: Train users the week before go-live, not months ahead. Create a dedicated support channel. Office hours for questions. Clear escalation path. Extra capacity helps during the first two to three weeks. Regular security training and phishing simulations maintain awareness. 

Remote Working Done Effectively 

Two paths forward. 

Appropriate infrastructure: Employees work securely anywhere. One platform, one number, all devices. Security is automatically configured. Support costs become predictable. Phone costs are typically reduced 30-50%. New starters become productive in hours. Lost devices don't mean lost data. Cloud Care handles ongoing management, so your team can focus on the business. 

Patchwork approach: Growing security exposure. Multiple phone systems that don't integrate. Fragmented communication. IT overwhelmed. Compliance gaps. Costs outpace headcount. No System Care means reactive firefighting instead of proactive management. 

The tools exist within your Microsoft 365 subscription. The challenge isn't access to technology - it's having the specialist knowledge to deploy it correctly whilst managing business-as-usual operations. Phone system migrations, security policy design, device management at scale, and change management across distributed teams require expertise that most internal IT teams simply don't have the capacity to develop. 

Contact TSG to discuss how we can handle deployment and ongoing management of your remote working infrastructure. 

Frequently Asked Questions 

What's the difference between Office 365 from Microsoft and Microsoft 365? 

Office 365 is the old name for productivity applications (Word, Excel, Outlook). Microsoft 365 includes those applications plus device management, security features, Teams calling, and Windows licensing. Businesses purchasing today get Microsoft 365 subscriptions, though many still use the Office 365 name. 

Does Microsoft 365 Business include backup? 

No. Microsoft keeps deleted items for 30-90 days and tracks document versions, but that's not a backup. You need separate solutions for ransomware protection, long-term recovery, and compliance requirements. Microsoft 365 backup services work with email, document storage, and Teams for comprehensive protection. 

Can we use device management without replacing existing devices? 

Yes. Device management works with current Windows, Mac, iPhone, and Android devices. People continue using existing hardware with security applied remotely. Automated setup for new devices isn't required. Manage existing devices first, and use automation for future purchases. 

How long does Teams telephony deployment typically take? 

Three to four months from planning to being fully operational with specialist deployment support, depending on size and complexity. Internal IT teams attempting this themselves typically see six to nine-month timelines whilst managing competing priorities. Includes design, system build, number coordination, training, and staged rollout. Success requires proper planning, dedicated project management, and technical expertise in Microsoft's telephony stack before starting. 

What happens to our existing phone numbers? 

Numbers move to Teams through a managed process. Customers ring the same numbers - no disruption. Requires accurate information (which numbers, where registered, current provider) and coordination with the existing phone company. Transfer typically happens during quiet hours. 

Can Teams Phone integrate with our existing systems? 

Yes. Call recording is available as an add-on for compliance. Contact centre functionality is available for advanced call handling. Most businesses find standard capabilities (automated answering, call queues, voicemail, forwarding) sufficient without additional integrations.