The platform locked the way Microsoft intended.
A Microsoft 365 / Azure tenant in default configuration is set up for adoption, not security. Defaults that made sense when you were a 5-person business signing up online become exposure surface when you're 50 people storing client data, processing payments, and signing contracts. Tenant lockdown is the work of moving from the defaults to a properly-configured baseline — Conditional Access, identity hardening, SharePoint permission audit, Teams external sharing controls, Defender configuration, and the network controls that need to live around Azure resources. Mostly free with your existing licences; almost always done halfway.
External sharing permissions on SharePoint are usually wide open by default — anyone with a link could view your client files. Legacy authentication protocols (POP, IMAP, SMTP basic auth) are still enabled. Azure subscriptions provisioned without proper RBAC, network segmentation, or cost guardrails. Service principals with broad permissions left orphaned by previous projects. None of these are exotic — all of them are how most SMB tenants look on day one.
Tenant baseline review reconfigures the defaults — Conditional Access enforced, legacy auth blocked, external SharePoint sharing scoped, Defender for Cloud Apps watching the SaaS perimeter, Purview labels rolled out, Intune device compliance bound to access. Azure subscription gets RBAC and the Cloud Adoption Framework landing-zone treatment. Cost-management dashboard with anomaly detection. Network security groups, private endpoints, Azure Firewall where workloads warrant.
Continuous baseline monitoring through Defender for Cloud and Microsoft Secure Score. Monthly review of the score — any drift, any new finding, action it. Quarterly architecture review against Microsoft's Well-Architected Framework. Annual full posture audit against Essential Eight maturity targets, with a defensible evidence pack for insurers and customer questionnaires.
Each of the six topics covers a layer of the security stack. They work together — phishing defence assumes good identity, identity assumes endpoint compliance, endpoint compliance assumes the tenant is locked down properly.
30 minutes, your environment, no deck. Warren walks the azure tenant lockdown surface with you and tells you what it would take to lock it down properly. No follow-up unless you ask.
A Support Representative will get in touch.
A Support Representative will be in touch the same business day.
No deck, no pitch — walk your environment with a senior Australian practitioner. Confidential by default.
I built this business because I wanted to do Managed services properly — for a small number of clients, at a senior level, with the same person on the end of the phone every time. The work is too important and the stakes are too high for anything less.
Behind the formal qualifications: a Cyber Security degree from the University of the Sunshine Coast, currently working on my Master’s, plus a continuous stack of Microsoft, Acronis and Nerdio certifications — the ones that have to be renewed because the threats don’t stay still.
Behind the certifications: thirty years of doing the work. I cut my teeth in consulting, then went to Cisco on the team building the original iPhone — Cisco’s VoIP handset, the trademark Apple later acquired in the 2007 settlement. At TPG in 1999 I sold frame-relay networks when frame-relay was the cutting edge of business connectivity. I built and sold a Sydney-based MSP called Online IT before relocating to Perth.
Three decades of watching what’s actually changed and what hasn’t. The technology has changed almost beyond recognition. The principles haven’t. Identity first. Backup that has actually been tested. A senior practitioner who knows your environment. Calm in an incident. Honest answers when the answer is “no.”
That’s whedo.it. That’s the brief. That’s why long-tenure clients don’t leave.
— Warren Ephron, Director