Entra ID / Microsoft 365 Access Hardening — Foundations (OOH-safe)

Tighten Microsoft 365 sign-in security without creating daytime disruption.
We introduce strong administrative controls, disable unsafe legacy paths, and prepare Conditional Access policies safely in report-only mode — all outside working hours.

Why teams use this

For many organisations, Entra ID (Azure AD) security remains partly enabled: MFA for some, legacy protocols still open, Conditional Access untested.
Daytime rollout feels risky, so it drifts.

Our evening foundations window lets you harden the core safely, gather impact data, and hand back a ready plan for full enforcement later.

What you can expect

• Break-glass assurance — emergency access accounts created, tested, and monitored
• Strong admin MFA — secure authentication methods applied to privileged roles
• Legacy auth retired — POP/IMAP/Basic protocols disabled or constrained
• Conditional Access prepared — baseline policies in report-only mode for 2–3 weeks
• Clear proof — evidence packs, exceptions list, and handover plan ready for sign-off
• Partner-friendly — can be white-labelled for MSP tenants

Typical work we handle

Administrative security
Create and validate break-glass accounts, apply robust MFA to admin groups

Authentication modernisation
Define allowed MFA methods, enable user registration campaign

Protocol hygiene
Disable or limit legacy IMAP/POP/Basic auth; document and constrain exceptions

Conditional Access baselines
Apply standard report-only rules for MFA outside trusted locations, risky sign-ins, and admin device state

Every action follows a controlled, versioned runbook.

Governance

• Pre-agreed safe-change catalogue
• Each change includes what / where / proof / rollback / owner sign-off
• Evidence packs stored in your own tenant or SharePoint — CygnusTech retains no client data
• CAB-ready runbooks and summaries supplied for your governance process
• Delivered as a defined service with clear proof and rollback posture

Results you care about

• Administrative access secured and tested
• Legacy authentication paths closed
• Conditional Access ready to enforce with measured impact
• User registration under way — no helpdesk flood
• Full audit trail and handover pack for onward enforcement

How it works

1. Confirm scope and access. One named coordinator on your side.
2. Run triage. Identify admin accounts, legacy dependencies, and trusted locations.
3. Deliver in window. 07:00–09:00 or 18:00–21:00 UK, Tuesday to Friday.
4. Observe impact. Leave policies in report-only mode for 2–3 weeks.
5. Review and hand over. Evidence, exceptions list, and enforcement plan.

Planned evening configuration — not an emergency response.

Systems and Environments We Support

Microsoft 365 tenants of any size — Business, E3, or E5
Entra ID (formerly Azure AD) — standard or premium
Hybrid-joined or cloud-only environments
Defender for Identity / Conditional Access / Authentication Methods

Pricing (guide)

We price by outcome rather than hours. A straightforward structure keeps everything predictable:

• Pilot engagement — a small, time-boxed tranche to demonstrate the approach
• Foundations tranche — a short series of evening sessions to establish the baseline safeguards
• Partner retainer — a monthly allowance for MSPs to keep multiple client tenants aligned and secure

Pricing starts at £3,200 for a pilot engagement and £3,750–£4,600 for a full foundations tranche — clear, fixed, and scoped to outcomes.

At a glance

Next step

If you’d like to explore whether this fits your environment, we can arrange a short, no-obligation call to review your current Entra ID posture and outline what a Foundations engagement would look like.
You’ll leave with a clear picture of effort, risk reduction, and the next sensible steps — whether or not you choose to proceed.