Microsoft 365 & Security
Modern Workplace & Enterprise Security
A phish-resistant, fully managed Microsoft 365 environment — built on a standardised automation baseline covering Intune, Conditional Access, Defender, and Zero Trust security across every device and user.
What You Get
A Secure, Productive Environment — From Day One
Our standardised baseline is deployed via automation, bringing enterprise-grade security and a seamless user experience without the months-long setup.
Security Model
Built on Zero Trust
Zero Trust means no device, user, or network connection is trusted by default — not even inside your own office. Access is earned at every sign-in, not assumed.
Never Trust, Always Verify
Traditional security assumes that anyone inside the network is safe. Zero Trust assumes the opposite — threats can come from anywhere, including from within. Every request to access company data is evaluated in real time against three questions: is the identity verified, is the device in a healthy state, and is the level of access being requested appropriate? Only when all three pass does access get granted.
The foundation of this is Intune compliance policies. Before a device can touch any company resource, Intune checks that the drive is encrypted, antivirus is active and reporting clean, the operating system is at a minimum required version, and secure boot is enabled. These aren’t one-time checks at enrolment — they’re continuous. A device that falls out of compliance mid-day loses access automatically, without anyone having to intervene.
On top of compliance, OS hardening reduces the attack surface of every managed device. Attack Surface Reduction rules block the techniques most commonly used in ransomware and phishing attacks — such as Office macros spawning processes or scripts running from temporary folders. Controlled folder access prevents unauthorised applications from touching OneDrive and document directories. Network Protection stops connections to known malicious domains before they complete. Together, these make a managed device fundamentally harder to compromise than a standard Windows machine.
Conditional Access rules are the enforcement layer that ties identity and device compliance together. When a user signs in, their request is evaluated in real time — checking their identity, their MFA method, and whether their device is Intune-compliant. Locally installed apps like Teams and Outlook are only permitted on managed, compliant devices, meaning company data never syncs to a personal or unmanaged computer. Browser-based access requires a phish-resistant authentication method. If any condition isn’t met, access is denied or restricted — automatically, with no manual review.
If Defender for Endpoint detects an active threat on a device, the risk signal is fed directly into Intune. The device is immediately marked non-compliant, which in turn triggers Conditional Access to revoke its access to company resources — all in real time, without waiting for an administrator to respond. This closed loop between endpoint detection, compliance, and access control is what makes Zero Trust more than a policy on paper.
Managed Devices
A Secure Environment, Out of the Box
Every device your team uses — Windows, Mac, iPhone, Android — is enrolled, configured, and hardened automatically. Users get a polished experience from day one; IT gets full control without the manual overhead.
What the Experience Looks Like
When a new employee signs into a fresh computer, everything is already waiting for them. Edge opens signed in, OneDrive begins syncing their documents automatically, and their applications install in the background — no IT ticket, no setup wizard, no wasted first morning. The same applies when they pick up their phone: Microsoft apps are secured with a PIN or Face ID, and company data stays isolated from personal storage without requiring the company to manage the device itself.
On the security side, hard drives are encrypted automatically on both Windows and Mac, with recovery keys stored centrally in Entra ID. A common attack technique is for malware to silently create firewall or Defender antivirus exceptions before downloading a payload — we remove that capability entirely, so no application or user on the device can weaken the firewall or disable antivirus protections without going through a central administrator. Alongside this, a set of OS-level hardening measures runs silently in the background: blocking the script execution techniques most commonly used in ransomware, preventing unauthorised processes from accessing document folders, and stopping connections to known malicious sites before they complete.
Threat Protection
Staying Ahead of Threats
Keeping devices patched, detecting threats in real time, and responding automatically — so your team doesn’t have to.
Detection, Response & Patching
Microsoft Defender runs on every managed device — Windows, Mac, iOS, and Android — checking every file opened against a global threat intelligence network in real time. If a threat is detected, Defender doesn’t wait for someone to notice: it automatically investigates, contains the issue, and — because it feeds directly into Intune — immediately marks the device non-compliant, which causes Conditional Access to revoke its access to company resources until the device is clean. The response is automatic and takes seconds, not hours.
Windows updates are handled by Windows Autopatch, which groups devices into deployment waves and manages approvals without requiring IT to manually approve each patch cycle. Third-party applications are scanned continuously for known vulnerabilities, auto-updated where possible, and users are notified about anything that needs their attention — reducing the window of exposure that attackers rely on. For organisations running servers, the same detection and vulnerability management capabilities extend there too, giving a single unified view of security health across the entire infrastructure.
Email & Identity
Email Security & Phishing Protection
Protecting the Most Common Attack Vector
Email remains the primary entry point for attacks, and standard spam filters are no longer sufficient. Every attachment that arrives in a mailbox is detonated in a safe sandbox before the user ever sees it. Every link is re-checked at the moment of click — not just when the email was delivered — so threats that were clean on arrival but weaponised later are still blocked. If Microsoft’s global network identifies a new threat, messages already sitting in inboxes are automatically pulled back and deleted without any action from the user or IT team.
Beyond filtering, we harden the email infrastructure itself. Transport rules block known malicious patterns before messages reach the inbox. Non-delivery receipts — which attackers use to harvest valid email addresses — are disabled. DMARC, DKIM, and SPF are configured and monitored to ensure your domain can’t be spoofed by attackers sending email that appears to come from you.
We also protect against a class of attack that standard MFA cannot stop: man-in-the-middle phishing, where a proxy server sits between the user and Microsoft’s login page and silently records the session. Our custom login-page solution validates each session in real time on our servers. Users see a clear visual confirmation on a safe login, and an immediate red warning if something is wrong — catching attacks that would otherwise go completely undetected.
Applications
Application Control & Deployment
Automatic Deployment, Controlled Execution
Applications install automatically when a user first signs in — drawn from a privately hosted software repository with built-in malware scanning — so onboarding a new device takes minutes rather than hours. Updates happen silently in the background, keeping every machine current without any user involvement or IT intervention.
Application execution is also controlled. Windows AppLocker restricts which programs can run and from where, blocking the kinds of malicious scripts and executables that antivirus alone often misses. The approach works by allowing known-good applications and denying everything else — so even if something malicious makes it onto a device, it cannot execute. A white-listing phase at the start of the engagement ensures all legitimate software is accounted for before enforcement begins.
Visibility
Continuous Monitoring
Health Across Every Device, Without Extra Software
Knowing that security controls are actually working across every managed device — not just configured but actively healthy — requires continuous monitoring. Our solution tracks device health using Azure Monitor and lightweight scheduled tasks, with no remote monitoring agent to install or maintain. It surfaces whether Defender is active, whether OneDrive is syncing, and whether each device remains compliant, all feeding into a single view. A dedicated Log Analytics workspace is deployed per customer and billed only on what’s ingested, keeping costs proportional to scale.
Deployment
Automation Platform
Standardised, Automated Baseline
Intune policies, configuration profiles, Conditional Access rules, security groups, and Entra settings are deployed via Config365 — our open-source Microsoft 365 automation platform built on a standardised baseline. All options are granular and applied to users and devices through security groups. The environment is maintained to the highest standard and in compliance with all major security frameworks and Microsoft recommendations.
Deployment leverages PowerShell automation via Microsoft Graph API — ensuring consistency, repeatability, and full auditability across every tenant.
Visit config365.io ›Get Started
Ready to Secure Your Microsoft 365 Environment?
Let’s walk through your current setup, identify the gaps, and get a phish-resistant, fully managed environment deployed — fast.