One client understands security architecture and wants detailed rationale for every policy decision. The next doesn't know what a global admin is but wants one anyway, on their daily driver account. Both are your responsibility. The approach has to flex without the standards flexing.

You almost never build from scratch. You inherit configurations that made sense to whoever set them up, or didn't make sense at all. Before touching anything, I map what's actually there. Assumptions about what should exist and what does exist are consistently different things.

Every improvement has to be deliberately propagated. There's no global policy push across unrelated tenants. What you build in tenant one has to be deliberately replicated across the others, which is why having a documented standard matters - it's the reference for every subsequent deployment.

Microsoft changes fast. A new Conditional Access template, a deprecation notice, a security default change - each one needs to be evaluated against all 25 environments. Building automation and using Microsoft 365 Lighthouse for visibility across the portfolio is how you manage that without drowning in it.

This is the most common and most serious finding. Small organizations often have one or two people who "own" the IT and want maximum access. What they don't understand is that a compromised daily driver account with Global Admin is a compromised tenant. Getting them off standing Global Admin and onto PIM

Privileged Identity Management

Grants admin access only when needed, for a defined time window, with optional approval - then removes it automatically. Eliminates standing privileged access.

is usually the first conversation I have.

In almost every small tenant I've inherited, permissions are assigned directly to individual users rather than through groups. It makes onboarding slower, offboarding riskier, and auditing nearly impossible. Rebuilding the permissions model around groups is foundational work that pays dividends in every subsequent change.

SharePoint is consistently the most misconfigured workload in small tenants. Overly permissive sharing settings, no external sharing governance, site collections created ad-hoc without naming standards, and Teams-created sites nobody is managing. It's usually not malicious - it's just that nobody was ever shown how to set it up correctly.

Security defaults enforce MFA but Conditional Access gives you control over how and when. Many small tenants have MFA "enabled" but not required - meaning users can skip it or it only triggers in some scenarios. A properly built Conditional Access policy set closes that gap and removes the ambiguity.

Not security defaults - a proper Conditional Access policy set that enforces MFA where it matters, allows for compliant device exceptions, and gives the admin team visibility into what's triggering. Security defaults are a starting point, not an architecture.

Intune enrollment is the foundation for device compliance in Conditional Access. Without it, you can't enforce "managed device" as a condition. I enroll everything - Windows, Mac, mobile - and configure compliance policies that feed directly into access decisions.

Every permission assignment goes through a group. New user onboarding means adding them to the right groups, not hunting down every individual permission. Offboarding means removing group memberships, not hoping you found everything.

Tenant-level sharing settings locked down to known domains or disabled externally where the business doesn't need it. Site naming conventions and ownership requirements set from the start. Teams-provisioned sites audited and brought under management.

Defender for Business is included in Business Premium and covers endpoint threat protection, vulnerability management, and attack surface reduction. Getting it actually active and configured - not just licensed - is step one. Most small tenants have it licensed and untouched.

Before any configuration change in an inherited tenant, I run through a structured assessment: what Conditional Access policies exist and what do they actually cover, what accounts have elevated roles, what legacy authentication is still active, where are the SharePoint permissions actually set. Changes made without this context break things you didn't know were there.

Conditional Access has a report-only mode that shows you who would have been blocked by a policy before you turn it on. I use it on every new policy in an inherited environment. It's how you find the service account that authenticates with legacy protocols before you lock it out of production.

When you block legacy authentication, the application that was quietly using basic auth stops working. When you enforce MFA, the shared mailbox that was being accessed directly stops working. These aren't surprises - they're predictable consequences of fixing the environment. The mitigation is finding them before enforcement, not avoiding the fix.

Every exception to the standard - every policy exclusion, every legacy authentication allowance, every overly permissive sharing setting left in place for a business reason - gets documented with context. If I get hit by a bus, the next person needs to know why the exception exists, not just that it does.

Users who understand why MFA exists are significantly more accepting of the friction it adds. "We're requiring this because your account is the key to everything in the organization, and it needs to be protected" lands better than "IT is making you do this." Context converts resistors into participants.

Quarantined email, MFA prompts, new sign-in experiences - all of these generate support tickets the first week they're active. I prepare communications in advance, write simple one-page guides for the most common user questions, and make sure whoever handles first-line support knows what's changing before it changes.

The conversation about what security governance will change needs to happen before any changes are made. If the business owner is surprised by what MFA does to their workflow, you've already lost the relationship. Agreement in advance on what will change and when turns implementation into execution, not a fire drill.

There are tenants where the right security posture, implemented all at once, would break the organization's trust in IT entirely. In those cases, phasing the changes over time - securing the highest-risk exposures first and building confidence before the next change - produces better outcomes than technically correct all at once. Architecture serves the business. Not the other way around.