Executive briefing • Veterans Health Foundation RFP review

Administrative Cloud IT Environment Transition

A plain-English explanation of what the Foundation is asking for, what it really wants, which Microsoft technologies are in play, and where the RFP still leaves risk or opportunity on the table.

5 → 15

Start small now, but scale without redesign later.

100% owned

The Foundation wants the keys, the tenant, the licenses, and the ability to fire the vendor without losing control.

Cloud-first

Microsoft 365 for daily work, Azure for reporting and limited app hosting, and backup that survives mistakes or ransomware.

Project Summary (plain language)

What the project is really about

This section is the reasoning first: not just what the RFP says, but what the organization is trying to protect and avoid.

Like I’m 5 years old:

The Foundation wants its own safe digital house in the cloud.

They do not want to live in someone else’s house, borrow someone else’s keys, or ask a vendor for permission every time they want to move a file cabinet or change a lock.

They want a small, clean, secure office for about 5 people today, but built in a way that can grow to 15 people later without tearing the whole thing down and rebuilding it.

What they say: “Design and support a fully cloud-based administrative IT environment.”
What they mean: “Give us a simple, secure Microsoft environment we legally own, can run ourselves if needed, and won’t get trapped inside.”

What they really want

Control: the tenant, Azure subscription, data, licenses, and admin rights must belong to the Foundation.
Safety: strong security for HR, executive, financial, and board materials.
Simplicity: no oversized enterprise data platform; just enough Azure to support reporting and a few future workloads.
Flexibility: future finance tools may change, so the design cannot be tied to one accounting system.
No vendor lock-in: if the provider leaves, operations should keep going.
Predictable cost: nonprofit pricing, transparent licensing, and support fees separated from Azure consumption.

Priority 1

Ownership

Tenant + subscription in VHF legal name

Priority 2

Security

MFA, role access, backup, restricted sites

Priority 3

Reporting

Azure data layer for Power BI and finance history

Priority 4

Continuity

Documented transition and recovery readiness

Milestone Breakdown

How the work likely needs to be delivered

These milestones are not listed this cleanly in the RFP, but they are the practical steps a good provider would need to follow.

Foundation setup, ownership, and governance

Simple meaning: Give the Foundation its own Microsoft 365 tenant and Azure subscription in its legal name, with the Foundation holding the master keys.

Main deliverables: tenant creation or transfer, Azure subscription setup, named owner/admin accounts, delegated vendor access, licensing ownership model, architecture diagrams, admin credential handoff rules.

Identity and security baseline

Simple meaning: Make sure only the right people can get in, and that admin accounts are better protected than normal user accounts.

Main deliverables: MFA, separate admin identities, role-based access model, core Microsoft Entra security policies, audit logging, executive/HR access restrictions.

Microsoft 365 core collaboration rollout

Simple meaning: Set up email, file storage, Teams, and personal work files so staff can work from anywhere.

Main deliverables: Exchange Online, OneDrive, Teams, SharePoint Online, user accounts for the first 5 staff, domain/DNS setup if needed, file migration plan if legacy content exists.

SharePoint document management architecture

Simple meaning: Build the digital filing cabinet with the right rooms, labels, and locks.

Main deliverables: Administrative Hub, functional sites for Finance, Grants, Development, HR, Executive, Board, and Internal Communications; permissions model; site/library structure; naming rules; inheritance breaks where needed.

Backup and business continuity protection

Simple meaning: Create a second safety copy so the Foundation can recover from accidents, ransomware, or a bad admin action.

Main deliverables: backup design for Microsoft 365 workloads and Azure workloads, encrypted backup, retention protections, recovery runbooks, restore testing, documented RPO/RTO assumptions.

Azure data architecture for Power BI

Simple meaning: Build a small but tidy data room where finance history can be stored and used for reports.

Main deliverables: Azure data storage choice, staging model, data refresh/integration pattern, security model for datasets, cost assumptions, Power BI connectivity design, baseline compute/storage sizing.

Optional Azure Virtual Desktop capability

Simple meaning: Prepare a way to run one or two special Windows applications in the cloud later, without turning the whole company into a remote desktop shop.

Main deliverables: AVD design option, VM sizing, uptime schedule, concurrency assumptions, image/patch model, support for QuickBooks Enterprise or other legacy Windows apps if adopted later.

Training, cutover, documentation, and handoff

Simple meaning: Teach the Foundation how to use and control its new environment, then prove another provider could take over.

Main deliverables: admin guide, support procedures, knowledge transfer, architectural documentation, credential transfer, 30-day transition support.

Microsoft Technologies: What Was Identified

What Microsoft pieces are clearly in scope

Based on the RFP and official Microsoft documentation, these are the named or strongly implied platform components.

Explicitly named in the RFP

Microsoft 365 Business Premium
The main employee productivity bundle for a small organization.

Exchange Online
Business email and calendaring.

SharePoint Online
The main document management system.

OneDrive
Personal work file storage.

Microsoft Teams
Chat, meetings, and collaboration.

Microsoft Entra ID
Identity, sign-in, and access control.

Microsoft Azure
Cloud platform for data services, storage, compute, and virtual workloads.

Power BI
Reporting and analytics consuming Azure-hosted structured financial data.

Azure Virtual Desktop
Optional limited-use application hosting for QuickBooks Enterprise or legacy apps.

Azure Virtual Machines / Storage / Compute
The building blocks behind application hosting and data workloads.

Strongly implied or should be considered

Microsoft Intune
Official Microsoft docs show Business Premium includes Intune Plan 1, so endpoint and BYOD management is available and should be considered.

Conditional Access
Business Premium includes Entra ID P1, which supports Conditional Access for risk-based sign-in and device-aware access controls.

Microsoft Defender for Business
Included in Business Premium for endpoint protection.

Defender for Office 365 Plan 1
Included in Business Premium for phishing, malicious links, and attachment protection.

Microsoft Purview
Sensitivity labels, DLP, retention, and auditing are highly relevant for HR, board, executive, and financial records.

Microsoft 365 Backup
Microsoft-native backup option for Exchange, SharePoint, and OneDrive.

Azure Backup
Relevant for Azure VMs and some Azure storage workloads, including immutable vault and soft delete controls.

Azure SQL Database / Azure Storage / Data Lake
Likely right-sized choices for financial staging depending on source data complexity.

Power Automate / Power Apps
Not required now, but strong future opportunities for approvals, intake forms, grant workflows, and lightweight admin apps.

Azure Cost Management + budgets
Needed if Azure spend must stay transparent and predictable.

What Microsoft docs tell us matters here

Business Premium is designed for organizations under 300 users and includes productivity, security, and device management capabilities.
Business Premium includes Entra ID P1, Intune Plan 1, Defender for Business, and Defender for Office 365 Plan 1 — which means the Foundation can ask for stronger security than basic MFA alone.
Conditional Access + Intune can limit access to company data based on user, device, app, and location.
Sensitivity labels can control privacy, guest access, unmanaged device access, and sharing behavior for SharePoint sites and Teams-connected workspaces.
Azure Backup supports encryption, soft delete, immutable vaults, and multi-user authorization protections for backup data.
Azure Virtual Desktop autoscale can power VMs on/off by schedule, which fits the RFP’s “not always-on unless justified” approach.
Microsoft for Nonprofits offers nonprofit discounts and Azure grant support that should be reflected in pricing.

Most likely right-sized Microsoft design direction

Daily work: Microsoft 365 Business Premium on local devices.
Files and records: SharePoint Online + OneDrive, not file shares on virtual machines.
Reporting layer: small Azure staging environment, probably Azure SQL Database and/or Azure Storage, not a heavy enterprise warehouse.
Special apps: optional AVD or equivalent only for exceptions like QuickBooks Enterprise.
Security model: MFA + Conditional Access + role-based access + endpoint management.
Continuity: Microsoft 365 Backup and/or partner backup for M365 plus Azure Backup or equivalent for Azure workloads.

Potential Misses

What is missing, under-specified, or easy for vendors to gloss over

These are the important gaps where the Foundation may think it asked for enough, but a strong provider should clarify or expand the design.

1. Device management is not clearly required

The RFP talks about cloud apps and remote work, but not about how laptops, home PCs, or mobile devices are secured. Because Microsoft 365 Business Premium includes Intune, the Foundation should ask whether devices will be enrolled, checked for compliance, encrypted, and remotely wiped if lost.

2. Conditional Access is missing even though the license supports it

The RFP requires MFA, but MFA alone is only one lock. With Entra ID P1, the Foundation can also require approved devices, block risky sign-ins, limit access from unmanaged devices, and apply stronger rules to HR and executive content.

3. SharePoint security governance stops at permissions

The RFP covers sites, libraries, folders, and inheritance, but not sensitivity labels, retention, DLP, legal hold, or external sharing by classification. For HR, executive, board, and donor material, these Microsoft Purview controls are worth calling out explicitly.

4. Power BI licensing and content sharing are not defined

The RFP asks for Power BI reporting support, but does not say whether users need Power BI Pro, PPU, or whether reports will sit on Premium/Fabric capacity. This matters for cost and who can actually view shared dashboards.

5. Backup independence needs clearer wording

The RFP says backup must be independent from the primary tenant and subscription. That is directionally correct, but vendors can interpret it differently. Microsoft 365 Backup is highly protected and isolated inside Microsoft’s service boundary, but it is not the same thing as a separate customer-owned backup tenant. The Foundation should define what “independent” must mean.

6. No recovery targets are stated

The RFP says backup and recovery should exist, but it does not define how fast the Foundation needs to recover or how much data loss is acceptable. Vendors should be forced to state recovery time and recovery point assumptions.

7. Azure data design is intentionally light — but maybe too light

It is smart that the Foundation does not want an oversized warehouse. However, the RFP still does not define the likely source systems, refresh frequency, data history retention, transformation ownership, semantic model ownership, or whether self-service reporting is expected.

8. AVD is mentioned, but its identity and profile model is not

If QuickBooks Enterprise or other legacy apps are hosted later, vendors should explain the domain/join method, user profile handling, patching, printing, data storage rules, and app vendor support boundaries. Otherwise “AVD capability” may be priced too vaguely.

9. No admin break-glass model is spelled out

The RFP correctly requires Foundation global admin ownership. It should also require at least one or two emergency admin accounts, protected separately, documented, and tested so the Foundation is not locked out if a normal admin account fails.

10. Cost control tooling is not specifically requested

The Foundation wants transparent Azure consumption estimates, but the RFP does not require Azure budgets, alerts, tagging, or cost reporting. Without those, even a small Azure footprint can become noisy and hard to govern.

11. Nonprofit benefit activation ownership is vague

The RFP asks for nonprofit pricing, but does not clearly say who is responsible for nonprofit validation, grant activation, annual renewal monitoring, and keeping licensing under the Foundation’s direct control.

12. Good hidden opportunity: automate admin work later

Even though the RFP is focused on core infrastructure, the site structure and Microsoft platform choices set up a future path for Power Automate, lightweight Power Apps, donor/grant intake workflows, approvals, and better reporting with little rework.

Recommendations & Conclusions

The short version for owners and executives

Now that the analysis is complete, these are the main takeaways and practical next moves.

Bottom line

This is not just an IT setup request. It is a control, continuity, and independence request.

The Foundation wants a small Microsoft cloud environment that feels simple to use, but is professionally governed underneath: owned by the Foundation, safe for sensitive records, easy to support, and easy to take over from a vendor if necessary.

If a bidder only talks about “setup” and “support,” they are probably missing the real requirement: institutional independence without operational fragility.

Best-fit platform reading

The RFP is strongly aligned to a Microsoft 365 Business Premium + right-sized Azure architecture. That is a good fit for 5–15 administrative users.

The strongest proposals will avoid overengineering, keep Azure consumption modest, use Business Premium security features fully, and make backup/recovery and ownership crystal clear.

Recommendations the Foundation should add or push vendors to answer

Require vendors to show exactly how Intune, Conditional Access, and Defender will be used — or explain why not.
Require a Power BI licensing model and who can share, publish, and view reports.
Require a clear statement of what “independent backup” means and how restore testing will be performed.
Require RPO/RTO targets for Microsoft 365 and Azure workloads.
Require a data governance baseline for HR, board, executive, donor, and financial documents: labels, retention, DLP, auditing, and external sharing defaults.
Require Azure cost controls: budgets, alerts, baseline assumptions, and monthly reporting.
Require break-glass admin accounts, named admin separation, and documented credential escrow/transfer.
Ask bidders to show a day-2 operating model: who handles user onboarding, site changes, restore requests, and vendor transition.

How to spot the best vendor response

They keep the design simple, not flashy.
They use the security features already included in Business Premium.
They separate licensing, Azure consumption, one-time work, and recurring support very clearly.
They provide real documentation, not just screenshots.
They explain how the Foundation can take over or switch providers without downtime or relicensing.
They size Azure and AVD with assumptions that can be challenged, not vague placeholders.
They talk about governance, backup testing, and security operations, not only deployment.

Official Microsoft grounding

Microsoft documentation used for the review

These first-party Microsoft references were used to validate the Microsoft technologies, licensing, security, backup, and nonprofit considerations mentioned above.