Delivered a fixed-scope Zero Trust architecture advisory with gap analysis, a prioritised 12-month roadmap, executive documentation, and licensing optimisation.
The client — a mid-sized financial services group with approximately 800 seats operating across multiple regulatory jurisdictions — is anonymised at their request. They ran Microsoft 365 E3 with a set of E5 Security add-on licences that had been purchased reactively in response to audit findings over the preceding two years, without a coherent plan for what those licences were intended to achieve or whether they were the correct licensing vehicle for their specific control requirements. The internal IT team was operationally competent and had maintained the environment without major incident, but lacked the depth in Microsoft security architecture to produce the kind of independent assessment their cyber insurance underwriter had requested as a condition of renewal.
The cyber insurance questionnaire was the immediate forcing function. The underwriter had introduced a new questionnaire format that asked for specific evidence of controls across identity, endpoint, email, and data protection — not a self-attestation, but documented evidence that controls had been implemented and tested. The organisation had most of the underlying Microsoft 365 capabilities available through their existing licensing, but could not demonstrate which controls were active, which were configured but untested, and which were absent. Without that evidence, the renewal was at risk of either failing entirely or being rated at a significantly higher premium.
The licensing concern was a secondary but material driver. The finance director had flagged that the Microsoft 365 licensing spend had increased by around thirty percent over three years without a corresponding increase in headcount or a clear account of what additional capability had been purchased. There was a specific concern that the organisation was paying for E5 Security add-on licences on a per-user basis for the full 800-seat estate when several of the included workloads — Defender for Identity, Microsoft Sentinel, and Defender for Cloud Apps — were deployed only partially or not at all. The question of whether the licensing mix was appropriate for the actual deployment state had not been formally assessed.
The internal audit scheduled for the following quarter added a third dimension. The audit scope included identity governance, privileged access management, and data classification — three areas where the existing Microsoft 365 configuration had known gaps that the IT team had documented internally but had not been able to prioritise for remediation given competing operational demands. The audit committee required an independent view of the security posture and a credible remediation plan before the audit began, to demonstrate that known gaps were being actively addressed rather than carried forward indefinitely.
The assessment was scoped across five Zero Trust pillars — Identity, Devices, Applications, Data, and Infrastructure — using Microsoft's Zero Trust maturity model as the evaluation framework. Each pillar was assessed against three maturity levels: Traditional (no Zero Trust controls), Advanced (controls present but not fully enforced), and Optimal (controls active, enforced, and monitored). The assessment was explicitly scoped to the Microsoft 365 environment only — on-premises infrastructure and third-party SaaS applications were noted as out of scope in the engagement letter, with the recommendation that a subsequent phase address those layers once the Microsoft 365 controls were baselined.
The advisory engagement translated Microsoft 365 control maturity into a practical target state across identity, device, email, data, and monitoring layers, with licensing and delivery sequencing tied to business risk.
The licensing audit methodology worked backwards from the Microsoft product catalogue to the actual deployment state. For each workload included in the E3 and E5 Security licences held by the organisation, the audit recorded whether the workload was deployed, whether it was configured to enforce controls or operating in monitoring mode only, and whether the specific E5 Security features were being used — as distinct from the E3 features available in the same portal. Several workloads fell into a category of "deployed but not enforcing": Defender for Office 365 was active for all mailboxes, but the anti-phishing policy was operating with the default settings rather than a tuned configuration, and Safe Links and Safe Attachments were enabled but not applied to internal-to-internal mail or SharePoint. These workloads contributed to the E5 Security cost without delivering the control coverage that justified the premium.
The roadmap prioritisation framework weighted remediation items across three dimensions: risk reduction (impact on the assessed security posture), implementation complexity (internal team effort required without external support), and dependency sequencing (whether a control required a prerequisite to be in place before it could be implemented). Items that scored high on risk reduction, low on complexity, and had no blocking dependencies were classified as immediate — executable within the first ninety days with internal resources. Items with high risk reduction but requiring prerequisite work or significant implementation effort were classified as medium-term, targeted for months three through nine. Items that were important but dependent on earlier remediation phases or requiring procurement decisions were classified as long-term, placed in months nine through twelve.
The documentation deliverables were defined at engagement scoping: a gap analysis report structured for a technical audience, a board summary structured for a non-technical audience, an HLD for each of the three highest-priority remediation tracks, an LLD for the Identity track (the highest-priority single workstream), and a pre-completed cyber insurance questionnaire with evidence references. The board summary used a traffic-light status model applied to each of the five Zero Trust pillars, with a one-paragraph narrative per pillar and a two-slide format suitable for presentation in a board risk committee meeting without requiring technical translation by the IT team.
The first two weeks covered assessment and gap analysis across all five pillars. The Identity pillar assessment examined Conditional Access policy coverage — the number of policies, their named location and device compliance conditions, whether report-only policies were present without a corresponding enforcement policy, break-glass account exclusions, and the presence and configuration of authentication methods. The assessment found forty-one Conditional Access policies in the tenant, of which eleven were in report-only mode and had been in that state for more than six months, indicating they had been created for evaluation but never moved to enforcement. The Devices pillar assessed Intune enrolment coverage, compliance policy configuration, and the relationship between device compliance state and Conditional Access enforcement. The Data pillar assessed Purview sensitivity label deployment and the extent to which labels were applied automatically versus requiring user action.
Week three produced the roadmap and prioritisation output. The gap analysis findings were mapped to remediation items, each assigned an owner role (internal IT, requires external support, or requires vendor engagement), an effort estimate, and a risk reduction score. The prioritisation framework produced a sequenced list of forty-three remediation items across the twelve-month window. The three highest-priority items — enforcing the eleven report-only Conditional Access policies, enabling Defender for Office 365 anti-phishing in standard enforcement mode, and deploying Entra ID PIM for the eight standing Global Administrator assignments — were each assessed as executable by the internal team within the ninety-day window without external implementation support. The HLD for each of these three tracks defined the target configuration state, the change sequence, and the rollback procedure. The LLD for the Identity track specified the exact Conditional Access policy configuration changes, the PIM role assignment process, and the validation test procedure for each change.
Week four was documentation and presentation production. The cyber insurance questionnaire was completed by mapping each question to the relevant assessment finding and evidence source — where a control was active and configured, the evidence reference was the specific policy export or configuration screenshot captured during the assessment; where a control was absent or in monitoring mode only, the evidence reference was the corresponding roadmap item and its target completion date, which the underwriter's questionnaire accepted as a risk treatment plan. The board presentation was reviewed with the IT director before finalisation to ensure the traffic-light status accurately reflected the assessed state — two pillars were rated amber rather than red, reflecting that controls were present but not fully enforced, and this distinction was material to the board's understanding of the remediation effort required.
The licensing analysis was presented separately from the security roadmap, as it involved a procurement recommendation rather than a technical remediation. The analysis concluded that six of the eight E5 Security workloads were either not deployed or not operating in enforcement mode, and that three of those six — Defender for Identity, Defender for Cloud Apps, and Microsoft Sentinel — were unlikely to be deployed within the twelve-month roadmap window given the internal team's capacity. The recommendation was to convert those seats to E5 Compliance add-on licences, which addressed gaps identified in the Data pillar assessment, and to defer the E5 Security workloads to a subsequent licence renewal cycle once the foundational controls identified in the roadmap had been implemented. The projected saving from the licence optimisation, annualised, was documented in the licensing analysis report.
The engagement delivered all defined outputs within the four-week scope: gap analysis report, board summary, three HLDs, one LLD, completed cyber insurance questionnaire with evidence pack, and the licensing analysis. The cyber insurance renewal was completed without a rate increase — the underwriter accepted the questionnaire, evidence pack, and roadmap as sufficient demonstration of a credible risk treatment plan for the identified gaps.
The internal audit proceeded with the IT team in possession of an independent assessment that pre-empted the audit's identity governance and data classification findings. The audit committee received the board summary as part of the IT director's pre-audit briefing, and the roadmap was formally accepted as the organisation's response to the known control gaps before the audit fieldwork began. The audit report, issued six weeks after the assessment engagement closed, referenced the roadmap in its management response section — an outcome that required the roadmap to exist in a board-accepted format before the audit began, which the engagement had been explicitly scoped to enable.
The three highest-priority remediation items — Conditional Access enforcement, Defender for Office 365 policy tuning, and PIM deployment — were all completed by the internal team within the ninety-day window, following the HLDs and LLD produced during the engagement. No external implementation support was required for these items, which had been the intent of the low-complexity classification in the prioritisation framework. The internal team reported that the LLD for the Identity track, specifically the Conditional Access enforcement sequence, was the most operationally useful deliverable — it provided enough specificity to execute the changes without ambiguity about the order of operations or the validation steps required before moving from report-only to enforcement mode.
The licensing optimisation recommendation was implemented at the next licence renewal cycle, with the projected saving realised as documented. The E5 Security workloads that were deferred — Defender for Identity, Defender for Cloud Apps, and Sentinel — were subsequently scoped as a separate implementation engagement, with the roadmap item that had been classified as long-term in the original assessment used as the initial scope definition. The advisory engagement had been explicitly designed to produce outputs that would be useful beyond the four-week delivery window, and that design held.
The advisory created decision quality the client did not previously have. Leadership received a defensible view of control maturity, the internal IT team received implementation-ready design artefacts for the highest-priority items, and procurement received a licensing recommendation tied to actual deployment intent rather than assumption.
That combination matters in regulated environments. The client was able to respond to underwriter scrutiny, prepare for audit, and sequence its Microsoft security investment around realistic internal delivery capacity rather than broad Zero Trust ambition. The result was a roadmap that could actually be executed, funded, and defended.
Book a discovery call to discuss your Microsoft environment.