Contact Us

Microsoft 365 Security Assessment

Independent Technical Assurance

Know whether your Microsoft 365 controls are genuinely working - not just configured

Your firm pays Microsoft every month for security capabilities that came with your licence. Your IT provider configured those capabilities and told you they are working. Your Secure Score looks healthy. None of that tells you whether your security controls are actually working. Secure Score measures the presence of features, not whether those features are correctly configured or actively enforcing.

Metis Security provides a Microsoft 365 Security Assessment designed to give you a clear, evidence-led view of how your tenant is performing in practice, and what matters most to address first. This assessment provides independent validation of Microsoft 365 security controls: confirming what is already effective, and identifying priority gaps where enforcement or coverage may fall short.

We go beyond surface-level checks. We evaluate identity and access enforcement, threat protection configuration, data protection controls and governance settings, combining technical analysis with risk-based prioritisation where required. The outcome is a focused, actionable view of your Microsoft 365 security posture and control effectiveness.

We focus on clarity over noise. You won’t receive a checklist or a generic scorecard — you’ll receive findings that explain what is wrong, why it matters, and what to do next.

Why Independence Matters

Good managed service providers build well-configured environments. What they cannot do is independently verify their own work - that is a governance principle that applies across every profession, not a reflection on competence.

Metis Security provides that independent perspective: no managed services, no licence sales, nothing that could colour the findings. An assessment your IT provider can point to with confidence and your leadership can rely on without reservation.

Every engagement is personally delivered by David Morgan – CISSP certified since 2002, with current Microsoft Security certifications and 27 years of hands-on cybersecurity testing experience. The person you brief is the person who does the work and signs the report. No junior staff, no handoffs, no dilution.

Who this is typically for

This assessment is for professional services firms – law practices, accountancy firms, financial services consultancies, and similar organisations – that are paying for Microsoft 365 security capabilities and have never independently verified whether those capabilities are working as intended. 

It is most valuable when:

  • Your environment has grown or evolved and no independent review has been conducted
  • Your IT provider or MSP manages your M365 tenant and you want an independent perspective
  • You are preparing for a cyber insurance renewal, client security audit, or regulatory review
  • You are evaluating or deploying Microsoft 365 Copilot and want to understand your data governance exposure before go-live

IDENTITY & ACCESS ENFORCEMENT

Most Microsoft 365 compromises begin with identity. This section confirms whether your authentication and access controls are enforcing the boundaries you believe they are. We assess Entra ID configuration, authentication controls and access governance to determine whether identity boundaries are properly enforced and resistant to abuse. Focus areas typically include:

  • Authentication strength and MFA enforcement consistency
  • Conditional Access design and policy interaction
  • Privileged Identity Management (PIM) configuration
  • Role assignments, delegation and least-privilege alignment
  • Guest and external access governance

THREAT PROTECTION & DETECTION READINESS

Having Microsoft Defender licensed is not the same as having it properly configured. We assess whether your threat protection controls are set up to generate meaningful signals and support a timely response:

  • Microsoft Defender configuration and coverage
  • Alerting, monitoring, and response capability
  • Logging and audit readiness
  • Visibility gaps that reduce detection effectiveness

DATA PROTECTION & EXPOSURE CONTROL

Sensitive data shared through Teams, SharePoint and OneDrive can be exposed in ways that are not immediately visible. We assess whether your data protection controls are actually limiting that exposure in practice:

  • Data classification and sensitivity labelling enforcement
  • DLP configuration and operational effectiveness
  • Information protection and rights management controls
  • External sharing governance and exposure pathways

GOVERNANCE & CONTROL CONSISTENCY

Controls that are configured correctly today can drift over time without consistent governance. We assess whether the structures that maintain your security posture are operating as intended.:

  • Policy design and enforcement consistency
  • Role and responsibility clarity
  • Monitoring and reporting alignment
  • Framework or regulatory alignment where required
How you will Gain

Benefits

Verified, not assumed

Confirmation that your controls are configured correctly, enforced as intended, and functioning as designed. Not a Secure Score summary. An independent expert examination

Independent of everyone

No managed services. No licence sales. No commercial stake in what the assessment finds. Our only interest is an accurate picture – which is precisely what makes it worth having.

A fraction of your licensing spend

For any firm with 200 or more users, the assessment costs less than half of what you pay Microsoft in a single month. Fixed price. Agreed before the engagement starts

Complete deliverable

Executive summary for partners and directors. Technical findings for the IT team. Remediation guidance for every finding. Everything needed to act, in one document

Personally delivered

David Morgan scopes, assesses, writes, and presents. 27 years of relevant experience. CISSP and current Microsoft Security certifications. No junior resource. No handoff

One week. Fixed Fee

Standard engagements complete within one working week. The fee is agreed at scoping and does not change. No supplementary invoices, no day-rate negotiations

Start with a conversation

Five questions. Fixed-price proposal the same day. Start date within a week. David Morgan will speak with you directly
BOOK A CONVERSATION WITH DAVID
Infographic page by Metis Security: Microsoft 365 Security Assessment with sections on the problem, stakes, and secure score.

Microsoft 365 Assessment - Service Overview

What the assessment covers, what it costs and how to start.
Infographic about Microsoft 365 Security: five questions worth answering, with red/green comparison panels and a team image on the right.

Five Questions Worth Answering

What most organisations actually answer, and what good looks like.
Infographic: Metis Security Microsoft 365 Security Assessment with a table of controls, misconfigurations, and pass statuses.

What We Check and What We Find

13 controls, the most common misconfiguration in each, and whether any of them would be flagged by Secure Score.
HOW WE HAVE HELPED IN THE PAST

Case Studies

Supporting Material

Blog Posts on M365 & Assessments

STREAMLINED AND EFFICIENT

Engagement Approach

M365 Security Assessment engagements are structured to deliver clear outcomes, not open-ended consultancy.

Initial Scoping

Define scope, objectives and rules of engagement, ensuring testing reflects real-world threat exposure and business priorities.

Controls Validation

Conduct structured assessment and impact validation across agreed in-scope systems.

Reporting & Technical Debrief

Document confirmed vulnerabilities, validated impact and prioritised remediation guidance with clear technical context.

Remediation & Re-Validation (Optional)

Where gaps are identified and support is required, practical guidance on remediation approach and validation of key fixes can be provided as an extension of the engagement.

COMPETITIVE AND BESPOKE

Engagement Scope & Depth

Microsoft 365 environments vary significantly in scale, architectural complexity and operational maturity. Meaningful security assessment requires scope aligned to identity structure, collaboration exposure, governance model and monitoring configuration. Engagements are structured to provide depth of analysis and defensible conclusions, not surface-level configuration review.

The assessment is fixed price. For most professional services firms with 200 or more licensed users, the fee is less than half of their monthly Microsoft 365 licensing spend. Pricing is confirmed in the scoping conversation based on your specific environment.

A representative mid-sized tenant may include:

  • Entra ID with Conditional Access and PIM
  • Exchange Online, SharePoint, Teams and OneDrive
  • Defender for Office 365
  • Purview data protection controls
  • 50–500 users with varied role assignments

Larger or multi-tenant environments are scoped accordingly.

 

Microsoft 365 Control Validation

The most common starting point for organisations seeking independent validation of their Microsoft 365 security posture. A focused, fixed-scope engagement delivering clear findings and prioritised recommendations within a defined timeframe — without the overhead of a larger programme.
4 -5 days
  • Conditional Access design and enforcement
  • Privileged role and delegation configuration
  • Data protection and DLP effectiveness
  • Defender coverage and alert quality
  • Logging and audit readiness across core services

Extended Control & Governance Review

Builds on Control Validation to include governance maturity and operational alignment. Designed for environments requiring broader strategic assurance of Microsoft 365 security controls.
8-12 days
  • Control maturity assessment
  • Threat and exposure analysis
  • Governance and policy enforcement review
  • Change management and operational oversight evaluation
  • Framework alignment where required
  • Forward-looking security roadmap considerations

Complex & Multi-Tenant Engagements

For larger estates, multi-tenant structures or advanced requirements, scope is tailored to architectural complexity and operational needs.
Custom
  • Multiple Microsoft 365 tenants
  • Deep-dive reviews of Intune or endpoint controls
  • Advanced Defender configuration validation
  • Specialist service deep-dives
  • Extended framework or regulatory alignment

Engagement duration typically ranges from several days for focused validation to multi-week engagements for complex or multi-tenant environments. Final scope and pricing are confirmed following structured discovery discussion.

 

Start with a conversation

If you are responsible for Microsoft 365 in your organisation and want to know whether your controls are genuinely effective, a direct discussion with David is the most practical first step. No obligation, no sales process — just a clear conversation about your situation and whether an assessment would add value.
CONTACT METIS SECURITY