Microsoft Environment Risk Scorecard

A fixed-fee, read-only diagnostic of identity, data, cost, and resilience risk across a Microsoft 365 and Azure estate — scored for leadership, not engineers.

Representative engagement. Anonymized; names and figures reconstructed to a representative level. Illustrative of a typical scorecard, not a specific client.

1Engagement overview

Background and objectives

A 120-user professional-services firm had grown its Microsoft estate organically over a decade and inherited it through an MSP handover. Leadership could not get a straight answer to three questions: what is actually risky, what is being wasted, and what to fix first. With a cyber-insurance renewal approaching, "are we actually secure?" had become a board-level question. They wanted a plain-English picture and a practical first step — not a forty-page audit or an open-ended retainer.

Methodology

A fixed-fee, read-only review across four domains, completed in five days with no production changes. Every finding was scored by severity and rolled into a single Risk Index, ranked for leadership.

• Identity — authentication methods, legacy authentication, admin roles, MFA coverage, guest access.
• Data — external sharing, broad-access groups, sensitive locations, sensitivity-label readiness.
• Cost — license assignment and waste, unused features, duplicate or oversized plans.
• Resilience — backup coverage and, critically, whether a restore had ever been tested.

2Executive scorecard

Posture by domain

Domain	Posture	Top issue	Severity
Identity & Access	At risk	Legacy auth enabled; admins not phishing-resistant	Critical
Data & Sharing	At risk	"Everyone" links on HR and finance; no labels in use	Critical
Cost & Licensing	Needs work	About 22% of license spend wasted	High
Resilience & Backup	Needs work	Backups never restore-tested; recovery time unknown	High
Access & Guests	Watch	Stale guest accounts and broad sharing	Medium

3Findings

• Identity, critical. Legacy authentication was still enabled, and two of the four global admins used app-push MFA rather than phishing-resistant methods, which adversary-in-the-middle kits can bypass.
• Data, critical. Several "everyone" sharing links exposed HR and finance libraries, and no sensitivity labels were in use, so nothing was classified or protected.
• Cost, high. Roughly 22% of license spend was wasted: unassigned licenses, oversized plans, and add-ons the firm already owned but never enabled.
• Resilience, high. Backups were assumed but had never been restore-tested, so the real recovery time was unknown.
• Eight medium findings spanned stale guest accounts, missing Conditional Access coverage, an unowned Azure resource group, and gaps in admin role hygiene.

4Ranked recommendations

1. Disable legacy authentication and move all admins to phishing-resistant MFA.
2. Remediate the "everyone" links on HR and finance, then introduce sensitivity labels.
3. Right-size licensing to recover the wasted spend and fund the remediation.
4. Run one controlled restore test to prove recovery time, then close the backup gaps.

5The first step

The license right-sizing alone offset the cost of the assessment several times over. The engagement led to a follow-on hardening sprint to execute the top recommendations.