1. The Consultant’s Mindset

In an enterprise, “lack of documentation” can be the default state, not an exception. You are being paid for your ability to operate in the gray.

  • The Rule of Assumption: Assume every bizarre, seemingly illogical configuration was put there for a specific, urgent business reason at the time. Do not tear down a fence until you know why it was built, see Chesterton’s Fence.
  • Investigation over Escalation: Never escalate a ticket to the role owner stating, “I don’t know what this does.” Escalate by stating, “I have traced this undocumented configuration to X, and it appears to impact Y. Should we decommission it?”

2. Forensic Discovery (Your “Hidden” Documentation)

When SharePoint wikis and IT portals are empty, the Microsoft 365 backend logs become your source of truth.

  • Entra ID Audit Logs: Tells you who built the fence. If you find an undocumented Conditional Access policy or a strange enterprise application, check the audit logs to find the creator. Ping them directly: “I see you provisioned the ‘Project Alpha’ app registration last year; is this still in active use?”
  • Entra ID Sign-in Logs: Tells you if the fence is still needed. If you find a legacy authentication exemption, check the sign-in logs filtered by that specific Conditional Access policy. If there hasn’t been a hit in 90 days, it is likely safe to deprecate.
  • M365 Unified Audit Log (Purview): Tracks user and admin activity across Exchange, SharePoint, Teams, and Entra. Use this to reverse-engineer when a site’s permissions were broken or when a massive file deletion occurred.

3. Reverse-Engineering Workflows

When inheriting a broken, undocumented automation or architecture, map it backwards from the failure point.

  • Power Automate / Power Apps: Do not just read the flow logic. Look at the Run History. Analyzing a failed run will show you the exact JSON payload, which tells you exactly what data the flow expected versus what it actually received.
  • Mail Flow (Exchange): If an email is mysteriously disappearing or routing incorrectly, do not guess. Run a Message Trace and look at the Message Events. It will explicitly state which Transport Rule or Connector intercepted the mail.
  • Conditional Access Dependencies: Use the What If tool. If you aren’t sure why an undocumented policy exists, run “What If” scenarios against various user groups and locations to expose its true scope.

4. Safe Deprecation (The Enterprise “Scream Test”)

When you are fairly certain an undocumented configuration is obsolete but cannot get 100% confirmation, you must test the waters safely without causing an outage.

  • Report-Only Mode (Conditional Access): Never just delete an old CA policy. Switch it to “Report-Only” for 14 days and monitor the logs to ensure nothing breaks.
  • Scope Reduction (SharePoint/Teams): Instead of deleting an undocumented, seemingly abandoned Teams site, remove all members except the owners, or change the site to read-only. Wait 30 days. If it is business-critical, someone will log a ticket immediately.
  • The “Hidden” Status (Exchange): Instead of deleting an undocumented Shared Mailbox or Distribution List, hide it from the Global Address List (GAL) and restrict who can send to it. If it is part of a systemic workflow, the workflow will fail, but the data and mailbox are instantly recoverable.