Microsoft 365 & Identity
Your tenant is the front door to everything your firm does. We administer it the way a bank would: security baselines applied, identity designed deliberately, and every privileged action accountable.
Identity first
Most Microsoft 365 problems are identity problems wearing a disguise. Before touching mailboxes or SharePoint libraries, we get Entra ID right: clean group structure, least-privilege admin roles, and conditional access policies that decide who gets in, from which devices, and under what conditions. Legacy authentication, the door most attackers still walk through, gets shut off, with the exceptions documented and time-boxed.
MFA rollout is handled as a managed change, not a surprise email blast: communication to staff, enrollment sessions where needed, phishing-resistant methods for privileged accounts, and a report at the end showing 100% coverage. 95% coverage means the attacker only needs to find the other 5%.
Security baselines, applied and kept
Every managed tenant gets a written security baseline covering admin role hygiene, mail authentication (SPF, DKIM, DMARC), safe attachment and link policies, audit logging, and data-sharing defaults for SharePoint and OneDrive. The baseline isn't a one-time hardening pass. It's re-checked on a schedule, and drift is treated as an incident with a cause, not a shrug.
Governance for Exchange, SharePoint, and Teams
Collaboration tools sprawl by default. We put structure around them before the sprawl becomes the system of record:
- Exchange. Mail flow rules, shared mailbox strategy, retention aligned with how your firm actually operates.
- SharePoint. Site architecture, external-sharing policy, permission reviews that someone actually runs.
- Teams. Creation governance, guest access policy, and lifecycle rules so dead teams don't accumulate risk.
Tenant-to-tenant migrations
Mergers, spin-offs, and rebrands mean moving mail, files, and identities between tenants without losing a business day. We run these end to end: discovery and mapping, coexistence planning, cutover scheduling around your calendar, and post-migration verification of mail flow, DNS authentication records, and device enrollment. The DNS work (MX, DKIM selectors, SPF) is handled byte for byte, because "mostly right" DNS is how mail silently disappears.
What's included
- Entra ID architecture and conditional access design
- MFA rollout with phishing-resistant methods for admins
- Written tenant security baseline, re-verified on schedule
- Exchange, SharePoint, and Teams governance
- Tenant-to-tenant and legacy-mail migrations
- License optimization: paying for what's used, not what was once quoted
FAQ
When did anyone last audit your tenant?
The assessment scores it against a written baseline: admin roles, MFA coverage, mail authentication, sharing policy. You keep the findings.