Remediation

If we can fix it, we can set it up.

The same engineers who fix what's drifted on your tenant can build it correctly the first time. Both jobs lean on the same knowledge of how Microsoft cloud is meant to be configured. Below: what we cover, how an engagement runs, and what's outside our scope today.

Two scenarios, one muscle

Drift fix or green-field build.

Scenario · 01

Fixing what's drifted

Your tenant exists. Your benchmark flagged things that have slipped: a Conditional Access gap, a stale admin role, a Defender policy that was loosened during an incident. Our engineers go in and put it right.

  • Driven by the findings in your portal
  • Each fix dry-run, reviewed, then applied
  • Findings flip to resolved with an evidence trail

Scenario · 02

Setting it up properly

Brand-new tenant, a Defender rollout that never happened, or a hybrid AD you want gone. Same engineers, same standard of work. We design it, build it, and onboard it to the benchmark on the same engagement.

  • Green-field Microsoft 365, Entra ID and Azure
  • First-time Defender for Business or Defender for 365
  • Designed against the Foundry Cyber Benchmark from day one

What we cover

Microsoft cloud, end to end.

Six surface areas of a Microsoft tenant. Most engagements touch two or three. We're set up to work across all of them, whether it's a one-off fix or a full build.

Identity & access (Entra ID)

  • Conditional Access policy design or remediation
  • Phishing-resistant MFA rollouts, including FIDO2 keys
  • Break-glass account design and policy exclusions
  • Privileged Identity Management setup, role review
  • Guest and external access tightening (B2B)
  • Sign-in risk and user-risk policies

Microsoft 365 tenant baseline

  • Audit log enablement and retention
  • External sharing controls (SharePoint, OneDrive, Teams)
  • Tenant secure score remediation, prioritised by impact
  • Move off Security Defaults onto a mature CA policy set
  • Mailbox audit, unified audit, alert policies

Email security (Defender for Office 365)

  • Anti-phish, anti-spam, anti-malware policy tuning
  • Safe Links and Safe Attachments enablement
  • SPF, DKIM and DMARC configuration
  • Anti-impersonation and mailbox forwarding controls

Endpoints (Defender for Endpoint, Intune)

  • First-time Defender for Business or Defender for Endpoint rollout
  • Intune enrolment, Autopilot, device compliance baselines
  • Attack surface reduction rules
  • Disk encryption, screen lock and USB policies

Azure

  • Defender for Cloud enablement and tuning
  • RBAC scope review, role-assignment cleanup
  • Network Security Groups, public IP and storage audit
  • Key Vault access, soft-delete, purge protection
  • Landing zone baseline for new subscriptions

Information protection

  • Sensitivity labels (starter set)
  • DLP policies for common identifiers
  • Retention policies
  • Insider risk management starter configuration

How it runs

Quoted up front. Audit-trailed throughout.

  1. 01

    Triage

    We scope the engagement off the findings in your portal, or off the conversation if it's a build. You get a written quote, project or retainer, before any work starts.

  2. 02

    Dry-run

    Forge generates the proposed change. An engineer reviews it. The change is run against a test target where one is available, or against your tenant in report-only mode where it isn't.

  3. 03

    Apply

    The engineer applies the change under their own named identity. You see who did what, on what date, on every record. No shared service accounts, no batch jobs from anonymous workers.

  4. 04

    Verify

    We re-run the relevant benchmark check and capture the new state as evidence. Findings flip to resolved with a short note explaining what was wrong, what we did, and why it mattered.

What's in scope today

Where we'll go, and where we won't.

We do

  • Microsoft 365 tenant configuration
  • Entra ID and Conditional Access
  • Defender for Office 365, Endpoint, Identity and Cloud Apps
  • Azure subscription and resource hardening
  • Intune device baselines and enrolment
  • Google Workspace remediation (DWD-based)

We don't (yet)

  • AWS and GCP remediation, assess-only for now
  • Custom application source code, we'd point you to a developer partner
  • On-prem Active Directory work beyond an Entra migration window
  • Anything you don't own or have rights to change

Onboarding new customers now

Let's start with a conversation.

Tell us a bit about your business and what you're worried about. We'll come back with a plain-English view of where you stand and what we'd suggest doing first. Real people, real answers.

Contact us