AD0.8 The NE Starting Point

The company

Northgate Engineering is a mid-size engineering firm headquartered in the UK with 210 employees across three offices. They design and manufacture precision components for aerospace and defence clients. The company processes sensitive intellectual property (engineering designs, manufacturing specifications) and handles contractual data from clients with strict security requirements.

The M365 tenant has been running for four years. The IT team consists of three people: a senior IT administrator (that’s you in this scenario), a helpdesk technician, and an IT manager who splits time between IT and facilities management. There is no dedicated security role. The senior IT administrator handles everything from user provisioning to printer problems to Teams configuration — and now, security.

The licensing is M365 E3 for all 210 users, with an E5 trial that expired six months ago (Defender for Endpoint and the advanced Defender features are no longer available). The infrastructure is hybrid — Azure AD Connect syncs the on-premises Active Directory with Entra ID, and Exchange is fully online (migrated from on-premises two years ago).

The current state

NE’s M365 security posture reflects what happens when a tenant is administered competently but without security focus. Everything works. Users can sign in, email flows, Teams meetings happen, SharePoint sites are accessible, and devices are managed through Intune. But the security layer is almost entirely default.

Identity: security defaults are enabled, which means MFA registration is required and MFA is challenged probabilistically. 87% of users have registered for MFA — the remaining 13% are a mix of shared accounts, service accounts, and users who haven’t logged in since the registration window opened. There are three Global Administrator accounts — the IT administrator’s daily account, the IT manager’s account, and a legacy account from when the tenant was set up by a consultant. No conditional access policies exist. Legacy authentication is not explicitly blocked. Self-service password reset is not configured — every password reset goes through the helpdesk.

Email: Exchange Online Protection provides basic anti-spam and anti-malware filtering. No Safe Links or Safe Attachments policies are configured, meaning Defender for Office 365 Plan 1 features are available but unused. Anti-phishing policies are at default settings. SPF, DKIM, and DMARC are not configured on the company’s domain — email authentication is not enforced, which means anyone can spoof emails appearing to come from @northgateeng.com.

Devices: 85% of endpoints are enrolled in Intune. The remaining 15% are personal devices (BYOD) that access M365 through web browsers. No device compliance policies exist — enrolled devices are managed for application deployment and Windows Update rings, but there’s no security baseline enforcement. BitLocker is deployed on most corporate devices but not enforced through policy.

Data and monitoring: no sensitivity labels, no DLP policies, no regular audit log review, no alert monitoring cadence, and no incident response procedure. The unified audit log is enabled by default but nobody has ever searched it. The Defender portal has been visited once (during the E5 trial) but is not part of any regular workflow.

How to run this assessment on your own tenant

NE’s assessment isn’t hypothetical — you can run the same checks on your environment right now using the admin portals. Here’s exactly what to check and where to find it.

MFA registration rate: Navigate to entra.microsoft.com → Protection → Authentication methods → Activity. The “Registration and reset” tab shows the percentage of users who have registered for MFA. If you see a registration rate below 90%, the gap represents accounts that can be compromised with just a password.

Global Administrator count: Navigate to entra.microsoft.com → Roles and administrators → Global Administrator. Count the members. Best practice is 2-4 Global Administrators (two break-glass accounts plus one or two operational admins). More than four creates unnecessary risk — every Global Administrator account is a tier-zero target. If you see accounts you don’t recognise or accounts that belong to former employees or consultants, that’s an immediate remediation item.

Legacy authentication usage: Navigate to entra.microsoft.com → Monitoring → Sign-in logs. Add a filter for “Client app” and select all the legacy options (IMAP4, POP3, SMTP, Exchange ActiveSync, Other clients). Any results in the last 30 days tell you which accounts are authenticating through protocols that don’t support MFA. These accounts can be compromised even when MFA is enabled because the legacy protocol bypasses the MFA challenge entirely.

Email protection status: Navigate to security.microsoft.com → Email & collaboration → Policies & rules → Threat policies. Check for Safe Links and Safe Attachments policies. If you only see “Built-in protection (preset)” and no custom policies, your email protection is running at the minimum level.

Intune compliance: Navigate to intune.microsoft.com → Devices → Compliance. If you see “No compliance policies” or only policies in a reporting state, devices are not being evaluated against any security baseline. Check Devices → All devices for the enrollment count — compare it to your total device count from the M365 Admin Center to calculate your enrollment percentage.

One more check that frequently reveals surprises: navigate to entra.microsoft.com → Roles and administrators → Global Administrator and click the role to see its members. In NE’s case, this reveals three Global Admins including a legacy consultant account that hasn’t been used in 18 months. That account is a dormant attack vector — if the consultant’s credentials were compromised through any breach database, the attacker would have Global Administrator access to your tenant. Removing or disabling unnecessary admin accounts is a zero-cost, five-minute security improvement that should happen before you build any conditional access policies. Each of these checks takes under two minutes. Together, they give you a concrete, evidence-based picture of where your tenant stands — not an assumption based on what you think you configured, but verified data from the admin portals.

For MFA registration specifically, there is a more detailed report at entra.microsoft.com → Protection → Authentication methods → Activity → Registration. This shows you not just the percentage but which specific users have not registered, which MFA methods they have registered (Authenticator app, phone, FIDO2 key), and when they last registered a method. Export this report before you deploy conditional access — the users who have not registered are the ones who will call the helpdesk on enforcement day, and you want to reach out to them proactively.

What this baseline means

NE’s current state is not unusual. Industry surveys consistently show that 40-60% of M365 tenants have no conditional access policies, 30-40% haven’t configured Defender for Office 365 features beyond defaults, and fewer than 20% have operational device compliance policies. NE is average — which is exactly the problem. Average M365 security configuration leaves the door open for the most common attacks.

The good news is that every gap in NE’s posture is fixable with E3 licensing, zero additional budget, and the time investment this course teaches. MFA enforcement through conditional access takes an afternoon to deploy. Email protection with Safe Links and Safe Attachments takes an hour to configure. Device compliance policies take a few hours to build and test. The blocking factor has never been cost or complexity — it’s been knowledge. This course provides the knowledge. The rest of the modules walk you through closing each gap, one at a time, in the order that maximises security impact.