A mid-market manufacturer had Microsoft 365 “working” for years, and a security posture that had aged in place. MFA was inconsistent. Too many global admins. Legacy authentication still on. Leadership wanted stronger controls after insurer and customer questionnaires got sharper, without freezing email for people on the floor and in remote sales.
- ~350Users in scope
- 100%Interactive MFA coverage target met
- 6 weeksAssess → remediate → handoff
- MonthlyReview cycle left behind
What success meant here: fewer easy account-takeover paths, clearer admin hygiene, phishing response that wasn’t “forward it to IT and hope,” and a review habit the internal team could run without us living in the tenant forever.
The situation
Microsoft 365 had grown with the business: new sites, new guests, new shared mailboxes, same handful of overpowered admin accounts. Secure Score looked fine in places and rough in others. Nobody had time to interpret it into a backlog leadership trusted.
Operations worried MFA would break shared shop-floor workflows. Sales worried Conditional Access would block them on personal devices during travel. Both concerns were legitimate, and both were solvable with exceptions that were tracked, not whispered.
Baseline findings (the honest list)
- MFA missing or weak for a meaningful set of interactive users
- Legacy authentication still enabled for pathways that no longer needed it
- Global Administrator assigned more broadly than daily work required
- Defender for Office 365 policies present but unevenly tuned
- No clean break-glass account design or admin account separation
- User-reported phishing path informal and easy to drop
How we worked
Prioritized backlog, not a 90-page audit
We ran Secure Score and identity risk reviews, then sorted work into “this week,” “this month,” and “schedule with change control.” Leadership saw a one-page sequence, not a binder.
MFA with a plan for edge cases
Enrollment campaigns went out with clear deadlines. Break-glass accounts were designed and stored properly. Exceptions for constrained floor scenarios were documented with owners and review dates, so they wouldn’t become permanent holes.
Conditional Access that matched real work
Policies targeted admins first, then broader populations. We tested unmanaged device behavior with sales before flipping firm-wide rules. The goal was fewer surprise lockouts, not a perfect diagram on a whiteboard.
Defender and phishing as an operations habit
We tuned anti-phishing and malware policies carefully, then set a simple user-reported phishing path with who triages what. Security only works if people know what to do when something looks wrong at 7:40 a.m.
Admin blast radius
Privileged roles were cleaned up. Daily-driver mailboxes stopped carrying standing Global Admin. A lightweight monthly access review was scheduled so drift didn’t undo the project in a quarter.
Remediation sequence
| Week | Focus | Outcome |
|---|---|---|
| 1 | Assessment & backlog | Risk-ranked plan + exception list |
| 2-3 | MFA & admin hygiene | Enrollment, break-glass, role cleanup |
| 3-4 | Conditional Access | Phased policies + pilot validation |
| 4-5 | Defender & phishing ops | Policy tuning + report path |
| 6 | Handoff | Runbooks + monthly review cadence |
Results
- Interactive MFA coverage expanded to the full in-scope user population, including privileged roles
- Legacy authentication paths that were no longer required were blocked
- Standing admin privilege shrank; fewer people could “accidentally” be the blast radius
- Security operations had a clearer alert and phishing triage path
- Leadership received a maintainable review cycle, not a one-time Secure Score spike
They didn’t just raise Secure Score. They left us with habits we can still run six months later.
- Infrastructure & Security Manager, manufacturing
What this engagement was not
It wasn’t a SOC replacement or a full Zero Trust rewrite of every system on the plant network. It was Microsoft 365 identity, email threat protection, and admin hygiene done carefully enough that operations kept moving, and insurance questionnaires got easier answers.
Want a practical Microsoft 365 security review?
We’ll assess your tenant and leave you a prioritized plan for identity, email, and admin risk, not a binder you’ll never open.
Book a security review