Microsoft 365 Tenant Assessment —
Fixed-Fee Audit, 2–3 Weeks
Eight-domain assessment of your Microsoft 365 tenant — identity, licensing, security, data, compliance, collaboration, Copilot readiness, and operational posture. Written evidence package and prioritized roadmap, in three weeks. Ideal for SOC 2, cyber insurance renewal, Copilot readiness, and M&A due diligence. Microsoft AI Cloud Partner.
What We Audit
Every tenant assessment covers the same eight domains — sized to your tenant, your compliance regime, and the specific trigger (audit prep, insurance renewal, Copilot readiness, or M&A).
Identity & Access
Entra ID configuration, Conditional Access inventory, privileged role census, MFA coverage by persona, legacy auth usage, guest population, consent to apps, and Secure Score / Identity Secure Score snapshots.
Licensing & Cost
SKU assignment by persona, utilization vs. assigned, overlap with third-party tools, Copilot readiness, F-SKU candidates, renewal calendar, and modeled savings across the estate.
Security & Threat Protection
Defender for Office 365 configuration, Defender for Endpoint posture, safe attachments / safe links, anti-phish tuning, attack simulation history, and mail flow security (SPF/DKIM/DMARC).
Data Governance & Purview
Sensitivity label coverage, DLP policy inventory, retention and records posture, eDiscovery readiness, insider risk signal, and data residency configuration.
Compliance Mapping
Mapping of tenant configuration against SOC 2, HIPAA, GLBA, PCI DSS, CMMC, or TX-RAMP controls — whichever applies — with a gap list and prioritized remediation path.
Collaboration & Governance
Teams and SharePoint governance, external sharing posture, Group lifecycle policy, storage sprawl, sensitivity label coverage on sites, and collaboration pattern analysis.
Copilot Readiness
Tenant-level Copilot readiness — SharePoint over-sharing hunt, sensitivity label gap, Graph access review, search optimization, and persona fit analysis against actual usage signals.
Operational Posture
Admin process audit, change management discipline, log retention for identity and security signals, SIEM integration status, and incident response readiness.
Three Weeks, Written Deliverable
Fixed scope, fixed fee, read-only access. Kickoff Monday, evidence package and read-out in three weeks.
Kickoff & Data Access
Kickoff with your IT leadership, scoped read-only access to your tenant, compliance regime confirmation, and stakeholder interviews to capture the business context around the tenant.
Discovery & Evidence Capture
Automated and manual discovery across all eight domains. Evidence captured in standardized templates — policies, assignments, signals, logs — with source-of-truth references for every finding.
Analysis & Roadmap
Findings analyzed, risks ranked, modeled savings calculated, and a prioritized roadmap built — quick wins, medium-term hardening, and strategic investments mapped to your compliance regime and business rhythm.
Written Deliverable & Read-Out
Executive summary, per-domain findings, evidence package, and prioritized roadmap delivered as a written report. Read-out with your IT and executive leadership to align on sequence and ownership.
Fixed-Fee. Written Scope. No Obligation After.
Every assessment is fixed-fee with a written deliverable and read-out. No embedded services bias — the assessment is the assessment. Clients who choose to execute follow-on work with ICS do so on separately-scoped engagements, and clients who execute internally get the same roadmap either way.
What Typically Comes After an Assessment
These are the engagements that most often scope out of assessment findings — but none are assumed or required.
Entra ID Hardening
Execution-side engagement for the identity findings — Conditional Access, PIM, MFA, and legacy auth shutdown.
Learn More →Microsoft 365 Licensing
Execute on the licensing findings — SKU rebalancing, Copilot sizing, CSP transitions, and quarterly governance.
Learn More →Microsoft 365 Management
Ongoing managed operations for clients who want ICS to own tenant administration post-assessment.
Learn More →Email Migration
When the assessment reveals a migration need — Exchange decom, Google Workspace, or tenant-to-tenant after M&A.
Learn More →Tenant Assessment — FAQ
What does the assessment actually deliver?+
A written evidence package and prioritized roadmap. The evidence package covers all eight domains — identity, licensing, security, data, compliance, collaboration, Copilot readiness, and operational posture — with source-of-truth references for every finding. The roadmap ranks findings by risk and return, maps them to your compliance regime, and sequences them into quick wins, medium-term hardening, and strategic investments.
Do you need full admin access to our tenant?+
No. The assessment runs with scoped read-only access — Global Reader, Security Reader, Compliance Reader, and Reports Reader roles cover most of what we need. Where specific capabilities require write access (for example, pulling Secure Score recommendations), we coordinate short-window elevations that are logged and reviewed with your team.
How is this different from Microsoft Secure Score?+
Secure Score is Microsoft's self-assessment tool — it flags some configuration gaps but ignores most of what matters for enterprise audit, licensing optimization, and compliance mapping. The ICS tenant assessment includes Secure Score analysis but extends to licensing cost and utilization, Purview and data governance, compliance-specific control mapping, Copilot readiness, and operational discipline — none of which Secure Score evaluates.
We're preparing for SOC 2 / HIPAA / cyber insurance renewal. Does this help?+
Yes — it's often the trigger. Assessment findings map directly to the controls your auditor or insurer cares about, and the evidence package frequently becomes part of the audit preparation binder. Clients on SOC 2 Type 2 regularly use the tenant assessment to pre-stage their own readiness review six months before the audit window.
How is this different from your Entra ID hardening engagement?+
The tenant assessment is broader and non-invasive — it's a read-only audit across eight domains with a written roadmap. Entra ID hardening is execution — deploying Conditional Access, PIM, legacy auth shutdown, and MFA enforcement with evidence. Many clients start with the assessment and then scope a hardening engagement (and often licensing and data governance work) from the findings.
Do you assess Copilot readiness as part of this?+
Yes. Copilot readiness is one of the eight domains — SharePoint over-sharing hunt, sensitivity label coverage, Graph access review, search optimization, and persona fit analysis against actual Microsoft 365 usage signals. Organizations considering a Copilot rollout often start with the assessment so they understand the remediation work required before Copilot is safe to deploy.
How much does the assessment cost?+
Fixed-fee based on tenant size and compliance regime. Every proposal includes a written scope and deliverable before work starts. For most mid-market tenants the investment returns within the first round of implemented recommendations — typically through licensing optimization alone.
What happens after the assessment?+
Your call. Some clients hand the roadmap to their internal team and execute themselves. Others scope follow-on engagements with ICS — Entra ID hardening, email or tenant migration, licensing optimization, data governance, or ongoing Microsoft 365 Management. There's no obligation and no embedded bias — the assessment deliverable is the deliverable.
Ready to Know What's Actually in Your Tenant?
Three weeks, eight domains, written evidence package. Ideal for organizations preparing for SOC 2, cyber insurance renewal, Copilot rollout, or M&A due diligence — or anyone who wants a clear-eyed read on what they own and where the risk is.