Every IT manager I've worked with in Finland says the same thing: "We know what we should be doing. We just don't have time to do it."
They know guest accounts should be reviewed monthly. They know inactive licenses are costing money. They know onboarding should be consistent. They know someone should be watching the Secure Score.
None of it happens consistently because it all requires manual effort, and manual effort competes with everything else on the ticket queue.
This article is about the five n8n workflows I've published on the Creator Hub that fix this — not by adding more work, but by making Microsoft 365 governance happen automatically in the background while your team focuses on actual problems.
All five are free to download and run on your own infrastructure.
Why Governance Breaks Down in Mid-Market M365 Environments
Large enterprises have dedicated GRC teams, SIEM platforms, and identity governance products. Small companies don't need any of that. But mid-market companies — 50 to 500 employees — sit in an awkward middle ground: complex enough to have real governance risks, not large enough to justify enterprise tooling.
The result is governance by spreadsheet. Someone maintains a guest account list in Excel. Someone else tracks license assignments in a SharePoint list that's six months out of date. Onboarding is a checklist in Confluence that half the IT team has bookmarked and half have never seen.
n8n on self-hosted infrastructure is the right tool for this tier. It's cheap to run (under €10/month on Hetzner), connects natively to the Microsoft Graph API, and produces audit trails that satisfy most compliance requirements including NIS2.
Here are the five workflows.
1. Govern Stale Entra ID Guest Accounts
The problem: Guest accounts accumulate. A consultant finishes a project, their account stays active. A vendor contact leaves their company, their Teams access remains. Six months later nobody knows who half the guests are or whether they still need access.
What the workflow does:
Runs monthly. Pulls all guest accounts from Entra ID via the Graph API. For each guest, checks last sign-in date and current group memberships. Flags anyone inactive for 30+ days or with access to sensitive resources. Sends a review request to the internal account owner — the employee who originally invited them. If no response in five days, escalates to IT admin. Logs all decisions to a SharePoint compliance list.
This is the most-downloaded workflow in my catalog for a reason: it solves a problem every M365 tenant has and most IT teams have been meaning to fix for years.
Practical impact: One client reduced their guest account count by 60% in the first month. More importantly, they now have a defensible audit trail showing that guest access is reviewed and decisions are documented.
2. Optimize Inactive Microsoft 365 Premium Licenses
The problem: M365 Business Premium licenses cost around €20/user/month. In a 100-person company, ten unused licenses is €2,400/year sitting idle. Most IT teams know this is happening but don't have a systematic way to find and act on it.
What the workflow does:
Runs weekly. Queries the Graph API for license assignments and cross-references with sign-in activity. Flags users who haven't signed in for 90+ days but still hold premium licenses. Generates a report showing potential monthly savings. Sends the report to IT admin and optionally to finance. Includes a one-click approval flow in Teams — admin can approve downgrades directly from the Teams message without opening the admin portal.
The Teams Adaptive Card approval is the detail that makes this workflow actually get used. If acting on the recommendation requires opening three browser tabs, people don't do it. If it's a button in Teams, they do.
3. Orchestrate M365 Employee Onboarding
The problem: Onboarding is a checklist. Checklists get skipped, done out of order, or completed differently depending on who's on the IT team that week. New employees wait hours or days for access they should have had on day one.
What the workflow does:
Triggered by an HR system webhook or a SharePoint list entry. Creates the Entra ID account, assigns licenses based on a role template, provisions Teams channel membership, creates the SharePoint folder structure, sends a welcome email sequence (Day 1, Day 7, Day 30), triggers an IT checklist notification to the relevant team, and logs every provisioning action with timestamps.
The role template system is the key design decision here. Instead of IT manually deciding what access each new hire gets, the workflow maps job titles to predefined access bundles. A new "Sales Account Executive" automatically gets the Sales Teams channels, the CRM SharePoint library, and the Sales Premium license — no manual decision required.
The offboarding reverse flow is included: same workflow, triggered on termination date, revokes all access in the correct sequence.
4. Convert Outlook Emails to Planner Tasks with Secure Score Monitoring
The problem: Action items arrive by email and disappear into inboxes. Security recommendations sit in the M365 Admin Center unread. Neither gets turned into trackable work.
What the workflow does:
Two connected workflows. The first monitors a designated Outlook mailbox (or uses rules to forward flagged emails) and creates Microsoft Planner tasks from incoming action requests — with due dates parsed from the email body, assignments based on keywords, and the original email attached as context.
The second runs daily and pulls the current Microsoft Secure Score from the Graph API. Compares it to the previous day's score. If it drops by more than a configurable threshold, creates a Planner task automatically and sends a Teams alert with the specific recommendation that caused the drop.
Together these two workflows mean that both operational requests and security recommendations land in the same task system, with the same visibility, and neither gets lost in an inbox.
5. Archive Outlook Email Attachments to OneDrive with SharePoint Logging
The problem: Important documents arrive as email attachments and live in inboxes forever. Finance gets invoices by email. Legal gets contracts. Operations gets reports. None of it ends up in the right SharePoint library without manual effort.
What the workflow does:
Monitors one or more Outlook mailboxes for incoming attachments. Classifies the document type using AI (invoice, contract, report, other). Routes to the correct OneDrive folder or SharePoint library based on classification. Applies naming conventions automatically. Logs the filing action to a SharePoint list including sender, date, document type, and destination. Sends a Teams notification for high-priority document types (contracts over a configurable value, invoices from new vendors).
The AI classification step is optional — you can also use simple rules (sender domain, subject keywords) if you want to keep the workflow fully deterministic and avoid any LLM dependency.
The Infrastructure These Run On
All five workflows run on a single self-hosted n8n instance. My standard setup for Finnish clients:
Hetzner CX22 (2 vCPU, 4GB RAM) — ~€4/month
Docker Compose: n8n + PostgreSQL + Caddy
Daily backup to Hetzner Object Storage
Caddy reverse proxy with IP allowlist
Total running cost: under €10/month. All workflow data, execution logs, and credentials stay in EU infrastructure you control.
For NIS2-relevant environments, the PostgreSQL execution logs serve as the audit trail. Every workflow execution is timestamped and stored, giving you evidence that governance processes ran on schedule and what they found.
What This Looks Like in Practice
A mid-market Finnish company running these five workflows gets:
- Guest accounts reviewed and documented monthly (NIS2 supply chain security)
- License spend optimized continuously with one-click approval
- Onboarding and offboarding running consistently regardless of who's on the IT team
- Security recommendations automatically converted to trackable tasks
- Document filing handled automatically with a complete audit log
None of this requires buying a new platform. It requires connecting the platforms you already have.
Getting the Workflows
All five are free on the n8n Creator Hub. Download, import to your n8n instance, configure your credentials, and they run.
If you want them deployed, configured, and maintained on your own infrastructure without touching the setup yourself, that's what AutomiQ does. Fixed price, fixed timeline, self-hosted on EU sovereign infrastructure.
Either way — the governance problems are solvable. They just need the automation layer connecting the tools you already have.
Mychel Garzon is an n8n Verified Creator, n8n Community Ambassador for Helsinki, and founder of AutomiQ — a business process automation consultancy serving companies across Finland and Europe.
Top comments (0)