What does an M365 security engagement involve?

It starts with an assessment of your current Secure Score, configuration gaps, and risk exposure. We then work through four phases — identity hardening, email security, endpoint compliance, and data governance — at a pace that suits your operations. Monthly reporting tracks progress throughout.

Do we need to replace our existing tools?

No. We work entirely within the Microsoft 365 stack you're already running. We don't introduce third-party agents or replace existing tools. We activate, configure, and tune what Microsoft has already built into your licence.

How long does it take to see improvement?

Most organisations see a meaningful Secure Score improvement within the first two weeks — MFA enforcement and legacy authentication blocking alone typically move the score 15 to 20 points. Full hardening across all four pillars takes eight to twelve weeks depending on your starting point.

What's included in monthly reporting?

A plain-English posture report covering Secure Score movement, actions taken during the month, incidents or alerts responded to, and the hardening backlog for the next quarter. Separate board and technical versions are produced from the same data.

Is this included in Fortify managed security?

Yes. Microsoft 365 hardening is part of every Fortify engagement. If you're looking for ongoing managed security with continuous monitoring and response, Fortify is the right starting point. If you want M365 hardening as a standalone project, we offer it separately.

Microsoft 365 · Security Specialists

Microsoft 365. Your environment, actually secured.

IronSights are Microsoft 365 Security specialists. Most Australian organisations run M365 but leave the security features misconfigured or switched off entirely. We close that gap.

Identity, email, endpoints, and data — all four pillars hardened against ASD standards and measured by your Microsoft Secure Score every month.

Harden our M365 →How we work

Microsoft Certified Experts

Secure Score improvement monthly

M365 native — no third-party agents

Four pillars

Complete coverage, none of the gaps.

M365 security spans identity, email, devices, and data. Most deployments have at least one pillar left exposed. We work through all four.

Every pillar hardened to ASD Essential Eight standards and tracked by monthly Secure Score reporting.

Identity & Access

Conditional Access policies, phishing-resistant MFA, Privileged Identity Management, and risk-based sign-in controls via Entra ID.

Email Security

DMARC, DKIM, SPF, anti-phishing policies, Safe Links and Safe Attachments. Email-borne threats stopped before they reach your users.

Endpoints & Devices

Intune device compliance, Autopilot deployment, application protection policies, and Windows Hello for Business.

Data & Compliance

Microsoft Purview sensitivity labels, DLP policies, insider risk management, and Secure Score improvement reported monthly.

What's included

Everything needed to harden your M365.

Eight distinct workstreams, each with measurable outputs. Delivered in phases so you see improvement from week one.

Conditional Access

Policies designed for your user groups, device fleet, and applications — tested in report-only mode before enforcement.

MFA enforcement

Phishing-resistant MFA across all users. Legacy authentication protocols blocked across the board.

DMARC, DKIM & SPF

Email authentication records configured to prevent domain spoofing and impersonation attacks.

Intune compliance

Minimum security standards enforced before devices access corporate data. Autopilot for zero-touch provisioning.

Purview data protection

Sensitivity labels, DLP policies, and insider risk management configured around your data environment.

Privileged Identity Mgmt

Just-in-time admin access with approval workflows. No permanent Global Admin accounts.

Secure Score reporting

Monthly Secure Score reporting with specific actions taken and what's planned next.

Defender deployment

Microsoft Defender for Endpoint, Identity, Office 365, and Cloud Apps configured and monitored.

Built for Microsoft environments

We configure Entra ID, Defender, Intune, and Purview to ASD standards. Rather than layering third-party agents on top of Microsoft's stack, we activate and configure what you're already paying for.

Identity protection via Entra ID
Conditional Access for every sign-in
Endpoint security through Defender
Secure Score lifted month on month

View Microsoft Defender→

Improvement milestones

Most organisations we engage start with a Secure Score between 25 and 45 per cent. We target measurable improvement across four phases, reported monthly.

MFA + legacy auth blockWeeks 1–2
Identity hardening + PIMWeeks 3–4
Email + endpoint securityWeeks 5–8
Data governance + monitoringOngoing

What you gain

A measurable number that goes up.

Four concrete outcomes from every M365 hardening engagement, measured and reported from day one.

Credentials protected

Conditional Access and MFA enforcement mean stolen passwords alone are no longer enough to access your environment. The most common attack vector is closed.

Secure Score improved

A measurable, monthly improvement milestone. You know exactly how your posture is changing, with specific actions attributed to each score movement.

Threats detected

Defender's full capability deployed across endpoints, email, identity, and cloud apps. Behavioural detection catches what signature-based tools miss.

Data governed

Sensitive data classified, labelled, and protected. DLP policies stop data leaving your organisation through email, Teams, or endpoint upload.

Common questions

M365 security questions answered.

Talk to a specialist →

What does an M365 security engagement involve?
It starts with an assessment of your current Secure Score, configuration gaps, and risk exposure. We then work through four phases — identity hardening, email security, endpoint compliance, and data governance — at a pace that suits your operations. Monthly reporting tracks progress throughout.
Do we need to replace our existing tools?
No. We work entirely within the Microsoft 365 stack you're already running. We don't introduce third-party agents or replace existing tools. We activate, configure, and tune what Microsoft has already built into your licence.
How long does it take to see improvement?
Most organisations see a meaningful Secure Score improvement within the first two weeks — MFA enforcement and legacy authentication blocking alone typically move the score 15 to 20 points. Full hardening across all four pillars takes eight to twelve weeks depending on your starting point.
What's included in monthly reporting?
A plain-English posture report covering Secure Score movement, actions taken during the month, incidents or alerts responded to, and the hardening backlog for the next quarter. Separate board and technical versions are produced from the same data.
Is this included in Fortify managed security?
Yes. Microsoft 365 hardening is part of every Fortify engagement. If you're looking for ongoing managed security with continuous monitoring and response, Fortify is the right starting point. If you want M365 hardening as a standalone project, we offer it separately.

First step

Tell us your Secure Score.

We'll assess your current M365 configuration, identify the highest-risk gaps, and scope a fixed-price hardening engagement. Most assessments complete within 24 hours of access.

Book an M365 assessment →