Summary. Keep your Microsoft 365 tenant healthy and secure. We watch Secure Score, baseline policies, and change governance so things don’t drift.
Who it's for. SMEs on Microsoft 365 who want a single owner for tenant hygiene: security baselines, identity access posture, mail & data protections, and regular change notes.
Business Outcomes
- Higher Secure Score over time with pragmatic policy updates
- Fewer risky sign-ins and permissions drift; break-glass access tested
- Clear governance notes that leadership can review quickly
What’s Included
| Scope | Description |
|---|
| Core Inclusions |
- Tenant baseline policy checks (MFA/CA posture, Safe Links/Attachments, sharing defaults)
- Secure Score tracking and quarterly uplift recommendations
- Change governance notes and exceptions log; monthly summary
|
| Optional Add‑Ons |
- App onboarding (SSO) best practices and reviews
- DLP/CASB posture design and rollout (project)
- Advanced threat detections licensing (pass-through)
- Self-Service Password Reset (SSPR) enablement
- Guest access governance (B2B) & external sharing reviews
|
Onboarding & Steady‑State
Note: timelines depend on size and current tooling.
| Phase | Activities | Deliverables | Indicative Duration |
|---|
| 01 — Baseline | - Assessment; policy inventory
- Break‑glass account validation
| - Baseline controls & plan; break-glass validated
| 0.5–1 week |
| 02 — Stabilise | - Variance reduction; exclusions review
- Mail and share posture tuned
| - Steady baseline with KPIs; exceptions register (owner + expiry)
| 1–2 weeks |
| 03 — Operate | - Monthly report; quarterly uplift plan
| - Monthly KPIs + quarterly uplift plan
| Ongoing |
We can forward key signals to SIEM (Secure Score deltas, risky sign-ins)
Service Levels (Summary)
| Plan | Coverage | Response / Restore | Governance |
|---|
| Bronze |
Business hours (Mon–Fri 08:00–17:00 NZT, except Public Holidays) |
P1: 2h / NBD • P2: 4h / 2BD |
Email support • Monthly summary |
| Silver |
Extended hours (Mon–Fri 07:00–19:00 NZT, except Public Holidays) |
P1: 1h / Same day • P2: 2h / NBD |
Weekly check‑in • Exceptions log |
| Gold |
Business + after‑hours (24×7 P1 only) |
P1: 30m / ASAP • P2: 1h / Same day |
Executive summary • CAB-ready change notes |
Success Criteria (from our perspective)
- Secure Score trend up and to the right
- MFA/CA coverage ≥ target
- Risky sign-ins trend down
- Exceptions resolved or documented with owners
Prerequisites
- Admin or delegated access to M365/Entra ID
- Agreement on change windows and who approves changes
- License entitlements suitable for required controls
- Change window for policy updates (MFA/CA/mail/share)
Assumptions
- Standard change control with rollback plans
- Corporate-managed users/tenants in scope
- Licensing is pass‑through at vendor MSRP
- CAB attendance on request (Gold)
Out of Scope
- Large migrations (Exchange/SharePoint/Entra) — project
- Custom automation/integration without a change request
- Third‑party licensing procurement (pass‑through only)
