Straight answers
Frequently asked questions
Everything UK businesses want to know before commissioning a Microsoft 365 security assessment, answered by the consultants who deliver them. Whatever is missing, the scoping call will cover.
Is Microsoft 365 secure by default?
No, and Microsoft says as much: the platform ships with security defaults that stop the crudest attacks, then hands you several hundred configuration decisions under the shared responsibility model. Microsoft secures the infrastructure; the configuration of your tenant, where almost every real-world breach happens, is yours. That gap between a secure platform and a secured tenant is exactly what an assessment measures.
What does a tenant security assessment include?
An expert review of your Microsoft 365 configuration against the CIS Microsoft 365 Foundations Benchmark: identities and admin roles, Conditional Access and MFA, Exchange and email protection, SharePoint, Teams and OneDrive sharing, Defender policies and audit logging, plus your Secure Score in real context. The output is a prioritised remediation roadmap, a board-level summary and a debrief.
How is this different from a free tool like Secure Score or a tenant scanner?
Free scanners compare settings against a baseline and output everything that deviates, in minutes, for nothing. They are a fine temperature check. What they cannot do is interpret the results for your business: which of the forty findings matter, which are noise, what to fix first and how to do it without breaking anything. The assessment is the judgement, not the list.
How much does a Microsoft 365 security assessment cost?
Our fees are fixed, banded by which workloads are in scope, and published in full on the pricing page, which makes us nearly unique in this market. Elsewhere, published UK day rates for comparable work run £850 to £1,250 with a three to four day standard shape, revealed only after you ask.
How long does the assessment take, and will it disrupt our users?
Three to four working days of assessment inside roughly a two-week window from scoping to debrief. Disruption is zero by design: the work runs on read-only access, changes nothing and installs nothing. Your users will not know it happened unless you tell them.
What access do you need to our tenant?
Read-only administrative access, granted using step-by-step guidance we provide and removed the moment the engagement ends. We never ask for global admin, never make changes during an assessment, and the access grant itself is a documented, reversible step your team performs.
How often should our tenant be audited?
A formal audit or assessment annually, with lighter reviews after significant changes: migrations, licence uplifts, acquisitions or incidents. Configuration drifts continuously, Microsoft changes the platform underneath you, and the attacks evolve; an annual rhythm catches all three.
What is a good Microsoft Secure Score for a business our size?
There is no universal number, because the score's denominator depends on your licences and workloads. That is why we publish real benchmark figures from assessed UK tenants on our Secure Score page rather than repeating a folk target. The reliable answer for your tenant comes from comparing it with tenants like yours.
Do we need Conditional Access if we already have MFA?
Yes. MFA is a control; Conditional Access is the policy engine that decides when it is demanded and by whom, blocks legacy protocols that bypass it entirely, and lets you treat an unmanaged laptop in an unexpected country differently from a known device in the office. MFA without Conditional Access is a lock without a doorframe.
Does the assessment cover Azure as well as Microsoft 365?
The Azure estate is a published add-on to any band rather than a default inclusion, because not every business runs one. The two share the Entra ID identity layer, so assessing them together costs less than two separate engagements.
What do we get at the end, and is there a sample report?
A scored findings register mapped to the CIS benchmark, a prioritised remediation roadmap, a board-level summary and a debrief session. A redacted sample report is available on request at the scoping call, so you can judge the depth before committing.
What happens after the assessment? Do you fix what you find?
Every band includes one remediation re-test, so the roadmap ends in verification. The fixes themselves are yours or ours: most clients handle the straightforward items internally and ask us to run the delicate changes, which we scope and price separately once the roadmap exists. For ongoing coverage, the CyPro SOC monitors tenants around the clock.
Does this help with Cyber Essentials or ISO 27001?
Substantially. A hardened tenant satisfies many of the technical controls both schemes test, and the assessment evidence maps cleanly onto their questionnaires. For the certifications themselves, CyPro runs dedicated services for Cyber Essentials Plus and ISO 27001, and the same firm behind all three means nothing is assessed twice.
Who sees our data and where are your consultants based?
Named UK-based CyPro consultants, listed on the report you receive. Assessment access is read-only and logged in your own audit trail, findings are handled under the engagement's confidentiality terms, and nothing about your tenant is shared outside the engagement team. Anonymised configuration statistics feed our published benchmarks only where clients have agreed.
One question left?
Put it to a consultant instead
45 minutes, free, and you leave knowing what an assessment of your tenant would check, cost and deliver, whether or not you book one.