For most organisations, a Microsoft 365 technical security assessment is the starting point — and often the most valuable single activity they undertake. It identifies configuration weaknesses, validates control implementation, and provides a clear view of technical exposure. That work is essential. It is also, in most cases, where organisations stop. Audits, however, do not...

Microsoft 365 security failures are often blamed on technical gaps: a missing control, an unchecked box, a feature that wasn’t enabled. Those issues matter, but they are rarely the enduring root cause. More often, the tenant becomes insecure because it stops being intentional. That loss of intentionality is governance. Most Microsoft 365 tenants do not...

Microsoft 365 is frequently described as an “ISO 27001–aligned platform”. In isolation, that statement is not incorrect. Microsoft 365 provides a wide range of technical capabilities that can support many of the controls expected under ISO 27001. Where organisations get into difficulty is assuming that capability equates to compliance. ISO 27001 does not certify platforms....

External sharing is one of Microsoft 365’s greatest strengths — and one of its most misunderstood risks. Done well, it enables collaboration at scale. Done poorly, it creates silent data exposure that persists long after the original business need has passed. This article explores how external sharing creates risk in Microsoft 365, where organisations typically...

When Microsoft 365 security incidents occur, they are often attributed to “sophisticated attacks” or “advanced threat actors”. In reality, the majority of compromises exploit well-known, repeatable misconfigurations that have existed quietly for months or years. These issues persist not because they are difficult to fix, but because they sit in the gaps between responsibility, ownership,...

Traditional perimeter security assumed that if you protected the network, you protected the organisation. Microsoft 365 has rendered that model obsolete. In a cloud-first world, identity is the perimeter — and attackers know it. This article explores how modern attackers compromise Microsoft 365 tenants and why identity misconfiguration is now the dominant failure mode.

Microsoft Secure Score is one of the most widely referenced security metrics in Microsoft 365. It is visible, easy to understand, and often used as shorthand for “how secure” an environment is. That simplicity is precisely the problem. Secure Score can be a useful indicator, but it is frequently misunderstood, over-trusted, and misused — particularly...