Service

Cloud Security Posture Assessment

Know exactly where your Microsoft 365 and Azure environment stands.

Request a quote

The problem

Most Tanzanian SMEs have moved to Microsoft 365 without reviewing the default settings — which are not secure by default. We have seen businesses with no MFA enforcement, unrestricted external sharing, and no conditional access policies in place. A single compromised account can bring down your entire operation: email, documents, communication, billing. The problem is not that you moved to the cloud — it is that the defaults were designed for convenience, not security.

Our methodology

  • Automated audit using Prowler against CIS Foundations Benchmarks for Microsoft 365 and Azure
  • Manual review of Conditional Access policies and MFA enforcement gaps
  • Privileged Identity Management configuration review
  • Email security assessment: SPF, DKIM, and DMARC record validation
  • External sharing settings audit for SharePoint and OneDrive
  • Microsoft Teams external access and guest permissions review
  • Admin role minimisation check — who has Global Admin and why
  • Audit log and alerting configuration review

What you will receive

  • Full findings report with critical, high, medium, and low risk findings
  • Prioritised remediation roadmap with effort estimates
  • Step-by-step remediation guidance document
  • 30-day follow-up call to review remediation progress

Estimated timeline

2 weeks from engagement start

Overview

Your cloud environment is only as secure as its configuration. Microsoft 365 ships with settings optimised for ease of use — not security. Without a structured review, the gap between where your tenant is and where it should be can be significant.

This engagement gives you a clear, prioritised picture of every misconfiguration in your environment — and a roadmap to fix it.

What We Look At

Identity and Access Management

MFA enforcement status, Conditional Access policy coverage, privileged role assignments, and legacy authentication protocols that bypass modern controls.

Email Security

SPF, DKIM, and DMARC record configuration. Whether your domain can be spoofed to send phishing emails that appear to come from you.

Data Sharing Controls

External sharing settings in SharePoint and OneDrive. Whether your business documents can be shared outside the organisation without restriction.

Admin Configuration

How many accounts hold Global Administrator rights, whether admin accounts are protected by separate MFA policies, and whether Privileged Identity Management is in use.

Audit and Alerting

Whether audit logging is enabled, retention periods, and whether alerts are configured for high-risk events like bulk file downloads or impossible travel sign-ins.

Methodology

We use Prowler — an open-source cloud security tool trusted by security teams globally — to run automated checks against CIS Microsoft 365 Foundations Benchmark. This catches configuration gaps at scale. We then layer in manual review for nuanced controls that automated tools can miss.

Every finding is severity-rated against its real-world exploitability in the Tanzanian SME threat landscape — not just theoretical CVSS scores.

Deliverables

You receive a structured findings report, a prioritised remediation roadmap with effort estimates, and step-by-step remediation guidance written for a non-specialist IT administrator to follow. A 30-day check-in call is included to review progress and answer questions.

Frequently asked questions

What if we use Google Workspace instead of Microsoft 365?

This assessment is designed specifically for Microsoft 365 and Azure environments. We can scope a separate Google Workspace assessment — the methodology differs but the principle is the same: check against CIS Foundations Benchmarks for Google Cloud Identity and Workspace. Get in touch to discuss.

Do you fix the issues you find, or just report them?

The standard engagement delivers a findings report and remediation guidance — you implement the fixes with your IT team. If you do not have internal technical resource, we offer a remediation sprint as an add-on scope, or you can bring in a managed service provider to implement our roadmap. We are happy to supervise or advise during remediation.

Do we need to give you admin access?

We require read-only access to your Microsoft 365 tenant for the automated and manual checks. Specifically, we need a Security Reader role and access to run Prowler with read-only API permissions. We do not require Global Admin access, and we will document exactly what permissions we need before engagement starts.

How long before our tenant settings are actually reviewed?

Active review typically takes 3–5 business days, with the remaining time used for report writing, prioritisation, and the remediation roadmap. You receive a draft report for your review before we finalise.

Will this disrupt our day-to-day operations?

No. This is a read-only assessment. We do not make changes to your environment during the audit phase. All configuration changes happen during remediation, which you control and schedule.

Related services

Compliance-as-Code Engineering

Replace manual evidence collection with automated, auditable pipelines.

Tanzania PDPA Compliance Pack

Get ahead of the Personal Data Protection Act — before regulators come to you.

Vulnerability Management Program Setup

Find your vulnerabilities before attackers do — then fix them systematically.

Ready to get started?

All engagements begin with a free 30-minute discovery call. No commitment, no jargon — just an honest conversation about your situation.

Request a quote View all services