Get a Free Consultation
Senior Microsoft Architect · Available for Remote Engagements

Microsoft 365 &Hybrid InfrastructureConsulting

Helping organizations design secure, scalable Microsoft cloud environments through hybrid identity, security architecture, and infrastructure modernization.

Book a ConsultationExplore Services
800k+Mailboxes Migrated
64+Exchange Servers Modernised
15yrs+Microsoft Ecosystem
40%Effort Reduction via Automation
Carlos Annes — Microsoft Security Architect

Trusted by Enterprise

EricssonEricsson
MicrosoftMicrosoft
European CommissionEuropean Commission
KörberKörber
RichemontRichemont
Metro LisboaMetro Lisboa
European Patent OfficeEuropean Patent Office

Carlos brought a level of architecture rigour we rarely see from external consultants. Every change was documented, every rollback was pre-tested. We went from a fragmented endpoint estate to a fully enforced Zero Trust posture — with zero disruption to the business.

ES
Security Program LeadEricsson · Defender XDR Program · 15k+ endpoints · 2023

The Exchange 2019 deployment was the cleanest infrastructure project we have run in years. Zero mail loss on cutover, PKI rebuilt end-to-end, and a full handover runbook our team could actually use the next day.

ML
IT Infrastructure ManagerMetro Lisboa · Exchange Migration · Zero mail loss · 2023

Standardising Intune and Defender across 20+ subsidiaries is the kind of project that usually takes 18 months and three vendors. Carlos scoped it, delivered it in sprints, and left runbooks that our subsidiary IT teams could follow independently.

KB
Group IT DirectorKörber · Intune & Defender · 20+ subsidiaries · 2022
Solutions Architect Specialising In
Microsoft 365Tenant & Security
AzureCloud Platform
Exchange Online800k+ mailboxes
Defender XDREDR · MDO · Sentinel
Entra IDIdentity & PIM
Microsoft SentinelSIEM · SOAR
Intune / MEMMDM · Autopilot
PowerShellAutomation · Graph
Microsoft 365Tenant & Security
AzureCloud Platform
Exchange Online800k+ mailboxes
Defender XDREDR · MDO · Sentinel
Entra IDIdentity & PIM
Microsoft SentinelSIEM · SOAR
Intune / MEMMDM · Autopilot
PowerShellAutomation · Graph
Consulting Engagements

What I Deliver

Structured engagements with defined outcomes, evidence packs and rollback plans. Remote delivery, sprint-based.

Core Services
Security · Zero Trust · SIEM

M365 Security & Tenant Hardening

Structured hardening sprints — Conditional Access baselines, PIM enforcement, legacy-auth eradication, Defender XDR deployment, and Sentinel SIEM. Evidence pack and rollback runbook at every stage.

Entra IDConditional AccessDefender XDRPIMSentinel
View ServiceEnterprise · Remote
Identity · Directory · SSO

Hybrid Identity & Entra ID

Entra ID Connect and Cloud Sync architecture, UPN normalisation, hybrid and Entra join, PIM design, and full identity governance for complex multi-forest AD environments.

Entra IDAD ConnectPIMSSO
View ServiceHybrid · Cloud
Exchange · AD · SharePoint · T2T

Migration Services

End-to-end migrations: Exchange on-prem to Online, Active Directory consolidations, SharePoint migrations, and full Tenant-to-Tenant transitions — on-premises or cloud, with zero-data-loss cutover plans.

ExchangeActive DirectorySharePointTenant-to-Tenant
View Service800k+ mailboxes
Advisory & Specialist
Design · Strategy · Assessment

Architecture Advisory

Independent Microsoft 365 and hybrid infrastructure assessments, Zero Trust design reviews, licensing optimisation, and technical roadmap planning — from initial scoping to board-ready output.

Zero Trust DesignRoadmapAssessment
View ServiceDesign · Strategy
On-Prem · Virtualisation · AD

Infrastructure Architecture

Design and delivery of on-premises infrastructure: Active Directory, Exchange Server, Windows Server, VMware/Hyper-V virtualisation, storage, and networking — full stack, no cloud dependency required.

Active DirectoryVMware/Hyper-VWindows ServerOn-Premises
View ServiceOn-prem · Hybrid
Endpoint · MDM · Compliance

Intune Endpoint Management

Autopilot staging rings, compliance profiles, BitLocker, Defender policies, and app packaging. Pilot-to-ringed enforcement with full build book — standardised across multi-subsidiary environments.

IntuneAutopilotBitLockerMDM
View Service20+ subsidiaries
// CUSTOM ENGAGEMENT

Have a specific Microsoft or infrastructure challenge?

Bring your scenario — tenant consolidation, security architecture, hybrid identity design, or complex migrations. I'll scope it with you and propose a structured engagement.

+ Get in Touch
// Architecture Expertise

On-Premises. Hybrid. Cloud.

Full-stack Microsoft and infrastructure architecture — designed for organisations that need control, security, and documented outcomes.

Layer 1 — On-Premises

On-Premises Layer

Resilient on-premises foundation — designed for security, redundancy, and clean handover.

Active DirectoryExchange ServerWindows ServerPKI / Certificate Authority
Layer 2 — Hybrid Identity

Hybrid Identity Layer

Identity federation and service integration between on-premises AD and Microsoft 365.

Entra ID Connect / Cloud SyncExchange HybridConditional AccessUPN Normalisation
Layer 3 — Cloud Security

Cloud Security Layer

Zero Trust controls, endpoint management, and threat detection across the M365 estate.

Defender XDRSentinel SIEMIntune Endpoint ManagementPIM & Conditional Access
// Why Carlos Annes

Structured Delivery. Documented Outcomes.

Every engagement follows a controlled delivery model with documented outputs and rollback procedures — so your team can operate everything after I leave.

Evidence Pack on Every Engagement

Every sprint closes with a complete audit package — no ambiguity about what changed, when, or why.

  • Architecture diagrams
  • Before/after configuration exports
  • Operational runbook
  • Secure Score or compliance report

Enterprise Remote Delivery

Delivered to Ericsson, the European Commission, and Microsoft from Lisbon — timezone-flexible, async-capable, and structured for remote accountability.

  • Daily async via Microsoft Teams
  • CAB-aligned change windows
  • Time-boxed PIM — no standing access
  • Handover session at project close

Rollback Plans Included

Every cutover ships with a tested rollback procedure. No change goes live without a documented revert path — provided as standard, not on request.

  • Rollback procedure per change
  • CAB-ready documentation
  • 48h revert window post-cutover
  • Incident escalation playbook
Proven Results

Case Studies

Real enterprise engagements. Problem → Architecture → Implementation → Results.

Telecommunications
EricssonSecurity Program

Microsoft Defender XDR — Enterprise Endpoint Protection

Onboarded endpoints to Defender for Endpoint via Intune and GPO. Enabled EDR block mode, ASR rules, and Network Protection with Conditional Access device-risk signals.

Results
  • 15k+ endpoints onboarded to MDE
  • Zero Standing Admin implemented
  • Enterprise KQL hunting queries deployed
MDE deployed at scaleZero standing adminFull evidence packs
View full case study
Public Transport
Metro LisboaMigration Project

Exchange 2019 Deployment & Hybrid with Exchange Online

Deployed Exchange 2019 from scratch, hybrid configuration, forest/domain functional level upgrade, and a full PKI/CA refresh — sprint-based with zero mail loss.

Results
  • Exchange 2019 deployed and hybridised
  • PKI modernised — chain rebuilt
  • Zero mail loss on cutover
Hybrid deployedPKI modernisedZero mail loss
View full case study
Industrial Manufacturing
KörberStandardisation Program

Intune Baseline & Defender Rollout — Multi-Subsidiary

Standardised Intune compliance baseline and Autopilot patterns across 20+ subsidiaries. Replaced legacy AV with Defender for Endpoint and deployed MDO anti-phishing.

Results
  • 20+ subsidiaries standardised
  • Legacy AV fully replaced
  • Runbooks delivered per subsidiary
20+ subsidiariesLegacy AV replacedRunbooks delivered
View full case study
Public Sector / EU Institution
European CommissionHybrid Identity & PKI

Hybrid Identity Architecture & Exchange Hybrid — 40,000-User Platform

Designed and delivered hybrid identity architecture, Exchange hybrid coexistence, and a two-tier PKI rebuild for a 40,000-user European Commission platform with zero service disruption.

Results
  • 40k-user hybrid platform stabilised
  • PKI rebuilt — renewable certificate chain
  • Exchange OAuth trust rebuilt from scratch
40,000-user platformPKI rebuiltZero mail disruption
View full case study
Public Sector / International Organisation
European Patent OfficeUnified Communications

Lync Server Deployment & Messaging Platform — Pan-European Scope

Deployed and administered Lync Server across the European Patent Office's multi-site environment covering SIP/VoIP, load balancing, and messaging platform stabilisation.

Results
  • Lync deployed across 3 principal sites
  • SIP/VoIP integration stabilised
  • Load-balanced front-end topology delivered
Pan-European scopeLync deployedSIP/VoIP stabilised
View full case study
View all case studies
Technical Authority

Insights & Architecture Guides

View all insights
🛡️
M365 Security

Microsoft 365 Tenant Hardening: Complete Security Baseline for Enterprise

Implementation-ready guide: Conditional Access, MFA, Defender policies. Based on real delivery at Ericsson and Körber.

Read article18 min read
Microsoft 365 & Hybrid Identity Consultant | TakeItToCloud