No two environments match their documentation. I map what's actually deployed before touching a single configuration - including shadow IT, licensing gaps, and undocumented dependencies.

The first question I ask every stakeholder: "What's the one thing that keeps your IT team up at night?" The answers usually tell me more than a formal requirements document.

I use a structured checklist covering identity, endpoint management, security policies, and licensing utilization. Gaps in licensing overlap are one of the most common - and most overlooked - findings.

Organizations that deployed Azure under time pressure often have everything in a single subscription - no management group hierarchy, no policy inheritance, no workload or environment separation. The assessment maps the gap between that flat structure and a properly governed landing zone, and sequences the remediation work so governance can be applied without disrupting running workloads.

Priorities set by IT alone rarely match what the business actually needs. Getting both sides in the room early prevents costly rework later in the process.

A findings report isn't bureaucracy - it's the contract between what exists today and what we're building toward. Every subsequent decision references back to it.

At Latham Pool Products, I replaced Mimecast entirely with M365 E5 native capabilities - eliminating the third-party licensing cost while improving coverage. The capability was already paid for.

Hybrid identity is the most common integration challenge. Entra Connect Sync

Entra Connect Sync

Synchronizes on-premises Active Directory accounts to Microsoft Entra ID, enabling a single identity to work seamlessly across both environments.

handles most scenarios; the key is knowing which approach fits the environment.

Microsoft's landing zone framework provides a validated starting point: management group hierarchy, policy assignments at the right level, subscription design aligned to workload and environment type. The question isn't whether to follow the framework - it's how to adapt it to the organization's specific compliance requirements, workload mix, and operational model.

I use PowerShell for bulk user management, compliance reporting, tenant configuration exports, and Conditional Access

Conditional Access

A policy engine that evaluates sign-in risk, device health, and user context to decide whether to allow, block, or require additional verification for each access request.

policy deployment - reducing hours of manual work to minutes.

Best practices aren't a checklist applied in parallel - they're applied in order of risk. Identity controls first, then endpoint posture, then data protection. Sequencing matters.

Government environments need FedRAMP-aligned controls. Healthcare maps to HIPAA. Financial services require audit-ready logging. The platform adapts to the regulatory context - not the other way around.

Every plan includes a pilot group, defined success criteria, and a rollback path before any production change is made. The rollback plan is not optional.

Management groups first, then Azure Policy assignments at the right level, then network topology - hub VNet with shared services, spoke VNets per workload or environment. Building in the wrong order means retroactively applying governance to resources that were created before the guardrails existed. That remediation is harder than building it right the first time.

These three together cover identity, endpoint, and threat protection - the core of a Zero Trust posture. They're configured as an integrated system, not independently.

Every configuration change is tested in a non-production environment first, then validated with a pilot group before expanding. No big-bang rollouts when a phased approach is possible.

I write runbooks the ops team can actually follow - not architecture documents that sit on a SharePoint no one visits. If the team can't operate what was built, the project isn't finished.

Pilot → validate → expand. Stakeholders get visibility into each phase before the next begins. Surprises in production are a planning failure, not a technical one.

Azure Policy prevents non-compliant resources from being created in the first place. Defender for Cloud scores posture continuously and surfaces drift before it becomes an incident.

Policy applied at the management group level cascades to every subscription and resource group below it. That inheritance model is the architectural difference between governance that holds at scale and governance that gets worked around. RBAC design at the same level ensures role assignments are consistent without being manually replicated across every subscription.

A well-designed Conditional Access policy set is one of the highest-ROI security investments in any M365 environment. Most organizations have it partially configured; few have it fully and correctly applied.

Standing Global Administrator access is one of the most common findings in any security audit. PIM eliminates it with just-in-time elevation and approval workflows.

I configure monitoring that alerts when a setting deviates from the approved baseline - before it becomes a vulnerability or a compliance finding. Drift is inevitable; undetected drift is the problem.

Purview handles data classification, retention, and eDiscovery. At Latham Pool Products, I worked directly with Legal to build hold policies that held up in practice - not just on paper.

I track Microsoft 365 admin center reporting, Defender Secure Score trends, and Azure Monitor over time - not just at project close. A platform that looked healthy at launch can degrade quietly.

A well-structured landing zone makes cost attribution possible from day one - cost centers map to subscriptions, tags enforce through policy, and Azure Cost Management surfaces variance by workload. Environments built without that structure spend months trying to retroactively untangle ownership. Navigate is where the investment in proper structure pays back.

License utilization reviews frequently uncover significant waste - unused E5 licenses, duplicate tools, or underused capabilities that could replace paid third-party products entirely.

Microsoft announces major changes at Ignite and Build. I track the roadmap and evaluate what's coming before the organization asks - so they're positioned to take advantage of new capabilities, not caught off guard by deprecations.

Regular check-ins prevent the "set it and forget it" problem - environments that look good at launch but degrade quietly as configurations drift and new capabilities go undeployed.

The organizations that stay ahead of the curve treat architecture as a living practice, not a project with an end date. Navigate is what keeps the platform aligned to where the organization is going - not just where it was.