Activity
Entra ID posture review
MFA coverage, legacy-auth blocking, sign-in risk policies, device compliance — the controls that decide who actually gets into your tenant.
Eastbourne · UK
/ AI Consultancy / Permissions & identityClean up the permissions AI will quietly inherit from SharePoint and Entra.
Copilot and agents take whatever access your identity and sharing model already grants. We tighten that model before an LLM puts a search API across the top of it.
01/ What's involved
Where we look, and what we change.
A focused review across identity, privileged access and sharing — the three surfaces that decide what Copilot will be allowed to read.
Activity
Privileged role audit
Global Admins, Exchange Admins, SharePoint Admins and service accounts with standing scope. Most tenants have three to five times more than they need.
Activity
Conditional Access baseline
Policy review against the Microsoft and NCSC baselines — identifying gaps, shadow exclusions and the "temporary" rules that never expired.
Activity
SharePoint & Teams permissions
Site-by-site permission mapping, external-sharing posture and inherited-access sprawl. The layer Copilot will read through by default.
Activity
Guest & external access
Dormant guests, B2B collaborations past their usefulness and "anyone with link" files that predate the current sharing policy.
Activity
Offboarding & account lifecycle
How leavers are deprovisioned, whether their OneDrives and mailboxes linger in the index, and what automation exists to keep it tidy.
Activity
OAuth & AI-app consent governance
Which AI tools staff have granted tenant-level permissions to via OAuth — ChatGPT plugins, Gemini add-ons, Claude integrations. Surfaced through Defender for Cloud Apps, scored on risk, and revoked or gated where they shouldn't be there.
The OAuth and AI-app consent work sits inside a wider tandem with Purview — covered in full on the AI security perimeter page.
02/ What you get
Defensible, documented, reproducible.
The same controls Assurix verifies live — privileged-access hygiene, MFA/CA posture, patch and supplier discipline — written down once so you stop rediscovering them.
Identity risk register
Every finding scored by likelihood and blast radius, with a named owner and a remediation step — the kind auditors actually like.
Privileged-access plan
PIM scope, break-glass design, standing-rights cleanup list — a pragmatic path to least privilege, not a purity exercise.
Conditional Access ruleset
Cleaned-up policy set, documented exclusions and a change log — so the next reviewer doesn't start from zero.
Sharing & lifecycle runbook
How new sites are provisioned, how sharing is defaulted, how leavers are offboarded — written so operations can run it.
03/ Typical findings
What we usually find first.
None of these are rare. All of them matter more the moment an LLM can ask "show me everything about X".
- A dozen accounts with standing Global Admin rights and no PIM.
- Service accounts using password auth with scopes broader than any person has.
- Conditional Access policies in report-only mode since the original pilot.
- "Anyone with the link" as the tenant default sharing mode.
- Guest accounts from projects that finished 18 months ago, still active.
- Former employees' OneDrives still licensed and indexed by search.
/ Backed by
Delivered by M-Tech Labs with the compliance and security discipline of M-Tech Systems — Cyber Essentials certified, aligned to NCSC CAF 4.0 and progressing through the Assurix trustmark programme. Code is continuously scanned for quality and security with Aikido, with independent QA and penetration testing by Zoonou available where engagements call for it, and hosted on our own Nutanix / Fortinet platform — continuously pen-tested, current-version, UK-based. See secure development for the full picture.
Back to AI Consultancy/ Start a conversation
Tighten identity before Copilot goes live.
A focused review, a prioritised fix list, and the option to stay on for the remediation sprint that actually closes the gaps.