Skip to content
Andy Lawsonandylawson.uk

Consultancy service

02 / 05

Security, identity and Microsoft 365 governance

Microsoft 365, Entra, MFA, Conditional Access, identity posture, access control, governance and risk reduction.

Technical assuranceAvailable from August 2026

The problem

Microsoft 365 tenants grow by accumulation. Settings made under pressure, access granted for projects that ended years ago, guest accounts nobody remembers inviting and sharing that quietly widened over time. Each item is small; together they are the tenant's real security posture.

Governance work is unglamorous, but it decides what an incident costs, what an auditor finds and whether tools that read everything, such as Copilot, can be adopted safely.

Typical situations

05 listed

  • A tenant that has never had a structured security and configuration review.
  • Identity hardening: MFA coverage, Conditional Access design and privileged access.
  • Access and permission sprawl across SharePoint, Teams and shared mailboxes.
  • Preparing a tenant for AI tooling, where oversharing becomes data exposure.
  • Audit findings that need turning into a prioritised, evidenced remediation plan.

How the work runs

Read-only first

  1. 01

    Assess read-only

    A structured review of identity, access, configuration and sharing, using read-only access wherever the platform allows.

  2. 02

    Rank by real risk

    Findings prioritised by what they expose for this organisation, not by checklist order.

  3. 03

    Agree the guardrails

    Conditional Access, MFA and access policies designed with the business, with exceptions recorded rather than improvised.

  4. 04

    Remediate in controlled steps

    Changes staged to avoid locking people out, with evidence captured as each control lands.

  5. 05

    Leave it governable

    Documentation, reporting and a review cadence so the posture holds after the engagement ends.

Risks and decisions

Judgement before action

Risks to control

  • A control that reaches further than anyone believed, discovered as a lockout.
  • Exceptions that exist only in someone's memory, rediscovered as incidents.
  • Policies applied to an assumed population rather than an enumerated one.
  • Privilege that has never been reviewed against who still needs it.
  • A change record that cannot explain the decision to the person investigating it.

Decisions to settle

  • Exactly who and what each control applies to, taken from the platform's own data.
  • Which exceptions are justified, and when each one expires.
  • How impact is observed before enforcement: report-only, a pilot group, or both.
  • What rollback restores, defined before the change rather than improvised after it.
  • Who accepts the residual risk, by name.

What you get back

06 artefacts

  1. 01Tenant security and configuration review
  2. 02Identity and access findings with risk ranking
  3. 03Conditional Access and MFA design
  4. 04Access and sharing remediation plan
  5. 05AI readiness assessment for Microsoft 365
  6. 06Evidence pack and governance recommendations