Lots of things are popping up as sovereign alternatives to M365. Very few of them seem to focus on the things that lock corporate users into the M365 ecosystem. For anyone looking at these things, here are a few things I’d regard as table stakes for a lot of current M365 users (note: not a complete list):

• Autosaving to an organisation-controlled (and backed up) storage location. Can be hosted by a third party (small companies don’t want to do this themselves).
• Version tagging of documents.
• Native apps for Windows, macOS, Android and iOS.
• Web apps for all of the same functionality as the native apps.
• Collaborative editing that works between both web and native views of the same document.
• Integrated account management.
• Sharing with both anonymous (anyone with the link) and externally authorised (partner org via OAuth or whatever) entities outside the company
• Auditable access control, with mechanisms for revoking access to, or limiting sharing of, documents, at different granularities.
• Easy integration with third-party document management systems (for ISO 9001 and similar compliance).
• Presenter mode for the presenter app in the video conferencing system, so the slides are rendered locally at the other end and work with accessibility tools (this is a legal requirement in some jurisdictions).
• Easy file sharing in the integrated chat system.
• Server-side search across documents (the SharePoint one isn’t good, but it’s better than nothing).
• Easy extension mechanism adding in-house workflow-specific behaviours.
• Export and import of OOXML (yes, OOXML sucks. But I often need to send a PowerPoint presentation to be compiled in someone else’s deck at a different company or at a conference and I need to know it will work. Keynote, impressively, can export PowerPoint files that crash the PowerPoint web viewer).
• GDPR-compliant ways of deleting things.
• Multi-factor authentication.
• Automatic updates for security patches.
• Don’t send everyone 30 emails to everyone not in your ecosystem when someone adds an agenda to a meeting invitation (yes, Google Calendar, I’m looking at you).

Note that a couple of these effectively preclude anything AGPL’d. If a company adds some extensions to the system and shares a link with another company, AGPL means that they have to share the code for those extensions. Even without extensions, AGPL imposes conditions that mean someone needs to talk to a lawyer before allowing link sharing with external entities. GPL is fine for this (extensions are not distributed, so the issues don’t arise) but AGPL comes with too much legal risk to be considered.

Some things that M365 does that probably aren’t essential but are nice:

• Integration with OS remote-file mechanism on macOS and Windows so sets of files can be locally ‘sync’d’ but actually loaded on demand and automatically excluded from backups.
• Collaborative editing of all documents in the video-conferencing system. Sometimes it’s really useful to bring up a shared view and let everyone type in, say, a spreadsheet.

Some people use InTune for Cyber Essentials and ISO 27001 but it’s such a complete security disaster that no one should ever deploy it in any situation, especially not for security certification. Something written by people who actually know what the principle least privilege is would be useful.

And a few things where M365 is bad (there are many of these, but from the top of my head) and you could easily do much better:

• Calendars with events owned by a team, not an individual, so anyone can cancel a meeting if there isn’t quorum, or can reschedule it if the organiser leaves the company.
• Search that actually works.
• An Improv-like spreadsheet.
• Proper semantic markup in the word processor with clear separation of stylesheets.
• A modern typesetting system. And, by modern, I mean ‘algorithms designed for 1970s minicomputers’, not the more limited versions cut down for 1980s microcomputers.
• A consistent set of editing tools, along the lines of ClarisWorks, so drawing in a word processor and a presenter aren’t different, and a table view in a word processor or presentation is a spreadsheet.
• PowerPoint has morph transitions for doing key frame animation. This is better than PowerPoint used to be, but it’s worse than Flash was in 1996. Catch up with 30-year-old technology.
• Actually respect the HIGs on macOS.
• Don’t be Exchange. This one is easy. But Exchange remains the absolute worst at everything it does.
• Add a mechanism for flagging personal info in emails. Outlook has no way of being GDPR-compliant if, for example, someone emails a CV. At MS, we were told to simply delete the email and tell the person to apply through another system. But what I want is to be able to tag the email as personal information for the sender and have it deleted and expunged if a GDPR request to do so is filed.
• Actually, better GDPR-compliance tooling throughout would be nice.
• Anomaly detection in the back end to trigger reauthentication if a client device appears to be accessing things unusually, including out-of-band notification of what the user has accessed so they can confirm that it’s intentional.
• Default to opening files in ‘view only’ mode.
• An integrated document-management system so you don’t need to buy a third-party one for ISO 9001.
• A clear export flow for sharing a version of a document with no history, while the internal version has complete history available.