For most organisations, a Microsoft 365 technical security assessment is the starting point — and often the most valuable single activity they undertake. It identifies configuration weaknesses, validates control implementation, and provides a clear view of technical exposure. That work is essential. It is also, in most cases, where organisations stop. Audits, however, do not...

Microsoft 365 security failures are often blamed on technical gaps: a missing control, an unchecked box, a feature that wasn’t enabled. Those issues matter, but they are rarely the enduring root cause. More often, the tenant becomes insecure because it stops being intentional. That loss of intentionality is governance. Most Microsoft 365 tenants do not...

Microsoft 365 is frequently described as an “ISO 27001–aligned platform”. In isolation, that statement is not incorrect. Microsoft 365 provides a wide range of technical capabilities that can support many of the controls expected under ISO 27001. Where organisations get into difficulty is assuming that capability equates to compliance. ISO 27001 does not certify platforms....

External sharing is one of Microsoft 365’s greatest strengths — and one of its most misunderstood risks. Done well, it enables collaboration at scale. Done poorly, it creates silent data exposure that persists long after the original business need has passed. This article explores how external sharing creates risk in Microsoft 365, where organisations typically...

Microsoft Secure Score is one of the most widely referenced security metrics in Microsoft 365. It is visible, easy to understand, and often used as shorthand for “how secure” an environment is. That simplicity is precisely the problem. Secure Score can be a useful indicator, but it is frequently misunderstood, over-trusted, and misused — particularly...