Skip to content
Foetron Foetron Microsoft cloud operations

Security that fits how Microsoft tenants actually work.

We baseline identity, configure the controls Microsoft ships with, instrument what we expect to see, and rehearse the incident lane before it's needed. No fear-selling. No console screenshots. Posture you can run.

Request a posture review Customer stories
Security · concentric rings
Identity
Identity · perimeter
Conditional access
MFA
Privileged access
Device trust

security.posture.ts

Identity-first baseline

1 export const securityBaseline = {
2 identity: ['Entra ID', 'Conditional Access', 'Token Protection'],
3 endpoint: ['Defender for Endpoint', 'Sophos coexistence', 'Intune'],
4 data: ['Purview labels', 'DLP', 'Exchange transport rules'],
5 signal: ['Sentinel', 'Defender XDR', 'Sign-in logs'],
6 }

What we hear

Four assumptions that quietly undo most Microsoft tenants.

None of these are reckless. They are reasonable conclusions a busy IT team reaches after two years of patching, licensing, and answering audit questions. They are also the four most expensive places we land work.

  • 01

    MFA is enough.

    MFA blocks bulk credential reuse. It does not block consent phishing, token theft, or legacy-auth fallthroughs. Conditional Access and token protection do the work MFA is often credited with.

  • 02

    Defender is configured by default.

    Licensed is not configured. Attack surface reduction rules, EDR in block mode, tamper protection, and ASR exclusions all ship off or audit-only. The default posture is a starting line, not a finish.

  • 03

    Backups equal recovery.

    A successful backup is necessary and not sufficient. Recovery is a rehearsed sequence: identity restored first, then endpoints, then data. Most customers have never timed it under realistic constraints.

  • 04

    An MSSP equals an incident response plan.

    An MSSP can detect and alert. An IR plan names the lead, defines containment authority, lists the customers who must be notified, and rehearses the call tree. Detection without that scaffolding stalls at triage.

Control map

Four defense surfaces. Three questions answered for each.

For each surface we name the native control we rely on, the non-default posture we configure, and the signal we expect to see in operations. The grid is the same brief we run against every new tenant.

Identity

Native control

Microsoft Entra ID + Conditional Access

What we configure

Block legacy auth tenant-wide. Risky sign-in MFA. Location-gated admin roles. Token Protection for high-privilege sessions. Privileged Identity Management for break-glass.

Signal we expect

Sign-in logs · risky user score · CA policy decision telemetry

Endpoint

Native control

Defender for Endpoint + Sophos coexistence

What we configure

EDR in block mode. ASR rules enabled and tuned. Tamper protection on. Intune compliance gates. Sophos retained where standardized; signal forwarded to Defender XDR.

Signal we expect

Defender alerts · device compliance posture · ASR rule hits

Data

Native control

Purview labels + DLP + Exchange transport

What we configure

Sensitivity labels for three real document classes — not 30. DLP policies tested against the customer's actual outbound patterns. Transport rules for external-share enforcement.

Signal we expect

Label coverage · DLP match rate · external sharing audit

Network

Native control

Entra Global Secure Access + Defender for Cloud Apps

What we configure

Internet Access for managed devices. Conditional Access for unmanaged. Defender for Cloud Apps shadow-IT discovery wired into the same identity signal.

Signal we expect

Sanctioned-app traffic share · shadow-IT discovery · access policy hits

None of this is exotic. All of it ships with the licenses most customers already own. The work is configuration, not procurement.

Identity posture

If the identity layer is right, the rest of the work becomes tractable.

We treat Entra ID as the perimeter. These are the five baselines we set in the first week. They are not theoretical — they are the configurations we ship into every new engagement and audit against quarterly.

Hub

Microsoft Entra ID

Identity is the perimeter.

  • 01

    Conditional Access

    Block legacy auth · risky sign-in MFA · location-gated admin roles · device-trust gates

  • 02

    Token Protection

    Bind high-privilege sessions to the originating device. Defeats token replay across endpoints.

  • 03

    Privileged Identity Management

    Admin roles JIT-elevated · approval workflow · session limits · break-glass documented.

  • 04

    Identity Protection

    Risky user + risky sign-in signals wired into Conditional Access. Auto-remediation for low-risk.

  • 05

    Device Trust

    Intune compliance is the source of truth for device state. CA policies consume it directly.

We baseline these five in week one. We do not move to endpoint or data work until the identity layer is verified.

What we don't do

We don't sell fear. We baseline posture, instrument what matters, and answer the phone.

Most security pitches lead with statistics about breach cost. We don't. The number that matters is the time from your first signal to a contained incident, and that number is decided by configuration and rehearsal — not by the brand on your dashboard.

Incident lane

What an incident actually looks like, end to end.

Six phases. Realistic durations. Named leads. The artefact each phase produces. We rehearse this lane in tabletop form before we agree to operate it for you.

  1. 01

    Detect

    Duration

    0–15 min

    Lead

    Defender XDR + Sentinel correlation

    Signal / artefact

    Correlated alert with confidence ≥ medium

  2. 02

    Triage

    Duration

    15–45 min

    Lead

    Foetron analyst on call

    Signal / artefact

    Scope hypothesis · affected users + devices identified

  3. 03

    Contain

    Duration

    30–90 min

    Lead

    Foetron IR + Customer IT lead

    Signal / artefact

    Isolated endpoints · revoked tokens · CA policy hardened

  4. 04

    Eradicate

    Duration

    2–8 hours

    Lead

    Foetron IR + Customer infrastructure team

    Signal / artefact

    Persistence removed · credentials rotated · forensic image captured

  5. 05

    Restore

    Duration

    4–24 hours

    Lead

    Customer IT lead · Foetron supporting

    Signal / artefact

    Identity restored first · endpoint reimage · data validated

  6. 06

    Postmortem

    Duration

    Within 10 business days

    Lead

    Joint review

    Signal / artefact

    Written report · root-cause · configuration changes · drill date

Durations are realistic bands, not promises. The bands change with tenant size, license tier, and whether the incident touches privileged identity. We name the variables in your engagement, not in marketing copy.

Real shape

A recent posture engagement, anonymized.

Mid-market customer, ~350 users, two business units, M365 E3 + Defender for Endpoint Plan 2 + Sophos Central. Inherited from a prior MSP. We took ~9 weeks from posture review to operational handover.

Financial services · mid-market · ~350 users

Identity-first posture rebuild on inherited Microsoft tenant

Inherited from a prior MSP. M365 E3, Defender for Endpoint Plan 2, Sophos Central retained for endpoint enforcement. Compliance pressure from enterprise customers (ISO 27001 alignment, DPDP readiness). Identity layer running on legacy auth fallthroughs; PIM unused.

  • Week 1 — posture review. MFA at 71% coverage. No Conditional Access policy enforcing device trust. Two privileged accounts found without PIM.
  • Weeks 2–4 — identity baseline. CA policies rewritten against actual user segments. Token Protection deployed for admin roles. PIM rolled out with approval workflow. MFA to 98%.
  • Weeks 4–6 — endpoint posture. ASR rules tuned against the customer's actual LOB applications. EDR moved to block mode. Sophos alerts wired into Defender XDR.
  • Weeks 6–8 — incident lane rehearsal. Tabletop with IT lead, business unit head, external counsel. Two scenarios: privileged-token theft, ransomware via OneDrive sync.
  • Week 9 — operational handover. Defender XDR signals routed to Foetron managed operations. Quarterly posture audit cadence agreed.

Reference customer available under NDA during assessment phase.

Where we operate from

Microsoft Security primary. Sophos partnership real. Alignments named.

We work inside the same accreditation envelope our customers do — Microsoft Security as the primary stack, Sophos as the endpoint partnership we actually have, and the compliance alignments that matter for India-based SMB and mid-market teams.

Primary accreditation

Microsoft Solutions Partner — Security

Defender XDR · Microsoft Entra · Microsoft Purview · Microsoft Sentinel

Vendor accreditations

  • Sophos Partner

    Endpoint protection — coexistence model with Defender XDR

  • Microsoft Defender for Endpoint

    Plan 1 + Plan 2 — deployed across customer base

  • Microsoft Sentinel

    SIEM + SOAR for the customers running Azure

  • CIS Controls v8

    Implementation Group 2 alignment for mid-market customers

  • DPDP Act 2023 readiness

    India-specific data protection alignment baked into engagement

  • ISO 27001 alignment

    For customers carrying enterprise compliance pressure

Accreditations are a floor, not a ceiling. They describe what we are licensed to operate; they do not describe how well we operate it. Ask for the reference customer.

Posture, not promises

Want a posture review before you commit to anything operational?

Two weeks. Fixed scope. Written report. We baseline identity, audit endpoint posture, review data controls, and produce a 30/60/90 plan with named configuration changes. You decide what to do with it.

Request a posture reviewRead customer stories