Peace CountryCyber

One-time project

Microsoft 365 Security Baseline.

$1,500 fixed-fee for up to 25 seats. $40/seat above that. Five business days, kickoff to handoff. Eight categories of configuration applied, documented, and delivered as a written runbook your next IT lead can read. Standalone project — no retainer required.

Schedule scoping call →Take the free Risk Report first

Who this is for

Three patterns describe almost every business that books this project. If you recognize yourself in any of them, the baseline is probably the right next step.

M365 set up years ago and never hardened

Somebody — a previous IT provider, a one-time consultant, the founder's nephew — turned on Microsoft 365 five or ten years ago and configured what was necessary to get email and Teams working. The security side was never touched. MFA is optional. Guest access is wide open. Anybody with a tenant invite can stand up an OAuth app.

Carrier or broker is asking about M365 specifically

The 2026 cyber-insurance questionnaire now asks line-by-line about M365: Conditional Access, enforced MFA, audit log retention, Defender state, guest restrictions. Your renewal application is due, you do not know the answers, and you need someone to configure what is missing and document the result.

Pre-managed-services standalone project

You are considering a managed retainer but want to see how we work first. The baseline is a clean, scoped project that produces a real deliverable — a hardened tenant and a written runbook — without committing to a recurring engagement. About a third of baseline clients convert to a Tier 1+ retainer after delivery; the rest take the runbook and run.

What we configure

Eight categories, applied in the order that minimizes disruption. Every setting is captured in the runbook with the reasoning behind it — so the next person to touch the tenant knows why we chose what we chose.

01

Conditional Access policies

A policy set covering MFA for all users, MFA for admins on every sign-in, blocked legacy authentication, blocked sign-in from anonymizing proxies and high-risk countries, compliant or hybrid-joined device requirement where the SKU supports it. Each policy named, scoped, and tested before enforcement.

02

MFA enforced for every user

Authenticator app as primary method, hardware key or phone SMS as fallback. Per-user MFA registration audited and confirmed before legacy MFA is disabled. Break-glass admin account exempted from CA and given a 60-character password under owner control.

03

Defender for Office 365 / ATP enabled

Safe Attachments, Safe Links, anti-phishing policies, impersonation protection for the C-suite and the bookkeeper. Tuned to suppress the obvious false-positives during the first week so users do not learn to ignore quarantine notifications.

04

Audit logging on and retained

Unified audit log enabled (it is not on by default in older tenants). Retention set per regulatory requirement, typically 180 days minimum. Mailbox auditing turned on for every mailbox, not just admins.

05

Sane retention and litigation hold

Retention policies for Exchange, SharePoint, OneDrive, and Teams that match your industry's documentation requirements. Litigation hold available and tested for the accounts that legal counsel would ask for.

06

Guest access restricted

Default guest invitation behaviour locked down. Guests cannot enumerate the tenant, cannot invite other guests, cannot access content they were not explicitly granted. External sharing on SharePoint and OneDrive set to a defensible default based on how the business actually shares files.

07

OAuth app consent locked down

User app-consent disabled. Admin-consent workflow enabled so any new OAuth integration has to be requested and approved. Existing risky-permission apps reviewed and either re-approved with reason or revoked.

08

DLP basics

A starter Data Loss Prevention policy covering Canadian SIN, credit card numbers, and any obvious industry-specific patterns (e.g. AER reporting fields for oilpatch, AgriStability data for ag-services). Policy tips on, blocking off — the first month is observational so users do not learn to bypass alerts they do not understand.

The process — five days, six checkpoints

Most of the configuration is invisible to users. The one meeting that touches their day is the rollout email and the MFA enrolment prompt — both communicated in advance with a written how-to.

  1. 1

    Day 0

    Scoping call (30 minutes)

    Free. We confirm fit, agree on scope, send the engagement letter. No fee invoiced until you sign.

  2. 2

    Day 1

    Kickoff + temporary admin access

    You add us as a Global Admin in your tenant (temporary — removed on Day 5). Engagement letter signed, 50% retainer invoiced.

  3. 3

    Day 1–2

    Baseline snapshot

    We document the current state of every setting we are about to change. Screenshots, exports, and a written before-state report you keep. If we need to roll anything back, the rollback is documented.

  4. 4

    Day 2–4

    Configuration

    Conditional Access, MFA, Defender, audit logging, retention, guest restrictions, OAuth lockdown, DLP — applied in the order that minimizes user disruption. Most settings land overnight and Saturday so business hours stay clear.

  5. 5

    Day 4

    User communications and validation

    We draft user-facing emails explaining what is changing and why. We validate every policy with test accounts. Any false-positives surfaced during validation are tuned out before users are affected.

  6. 6

    Day 5

    Runbook handoff

    Final invoice issued. Written runbook delivered — the configuration we applied, why each setting was chosen, and how the next person to touch the tenant can change it without breaking what we built. Our admin access removed.

What this project does not do

Honesty about scope is part of the deliverable. Here is what we explicitly do not promise.

This is not a tenant migration

We are hardening the tenant you have. If you need to migrate from Google Workspace, on-prem Exchange, or consolidate multiple tenants, that is a separate M365 Migration project — $250/seat, also published on the services page.

This is not ongoing tenant administration

The runbook is yours. After Day 5, the baseline is operational and your internal IT or current MSP runs the tenant. If you want us to operate it, that is what the Cyber Essentials managed tier covers — bundle is optional, not required.

This is not user training

We draft the user-facing communications about what is changing. We do not deliver awareness training as part of this project. If users need ongoing phishing simulation and training, see our Phishing Training service.

This is not a compliance certification

We bring the tenant into alignment with the CIS Microsoft 365 Benchmark and the controls most cyber-insurance carriers expect. We are not auditing for SOC 2, ISO 27001, or PCI — those are different engagements with different scopes and different prices.

Pricing — said out loud

  • $1,500 CAD fixed-fee, up to 25 seats. Not an estimate. Not a starting point. The number on the engagement letter is the number on the final invoice.
  • $40/seat for seats 26 and above. Linear, predictable, no surprise tiers. A 60-seat tenant is $1,500 + (35 × $40) = $2,900.
  • 50% retainer at kickoff, 50% on runbook delivery. Net 15 invoicing. e-Transfer or cheque accepted.
  • Full credit toward retainer if you convert within 90 days. $1,500 (or your invoiced total) applies against the first month of any managed tier.
  • Pairs with the $2,500 Assessment. If you want the gap analysis and roadmap first, take the Assessment, then book the Baseline to implement the M365-specific findings.

Frequently asked questions

How long does it really take?

Five business days, kickoff to runbook handoff, for tenants up to about 25 seats. Larger tenants (50–100 seats) typically run seven to ten business days because there is more existing-user variation to validate against. Anything larger gets a custom quote; the per-seat economics still beat hourly engineering.

What if I have a custom existing configuration?

Most tenants do. The baseline snapshot on Day 1 captures the existing configuration before we change anything. Where the existing setup is already good, we leave it. Where it conflicts with the baseline, we document the conflict, recommend a resolution, and only proceed once you sign off. We do not blow away working configuration to fit a template.

What M365 SKU do I need?

Business Basic or Standard are workable but require a couple of compromises (no Conditional Access, no Defender for Office 365, limited audit retention). Business Premium, E3, or E5 unlock the full baseline. If the business is on Basic or Standard today, the runbook includes the line items that would unlock if you upgraded — usually a $5–$20/seat/mo decision that pays for itself the first time it stops an account takeover.

Do you need Global Admin access?

Yes, temporarily. Most of the baseline settings cannot be applied without it. The temporary admin account is named, scoped, MFA-enforced, audit-logged from creation, and removed on Day 5 as part of the handoff. You retain a screenshot of when the account was created and when it was removed.

Can users keep working during the project?

Yes. Every change is timed to minimize disruption — most policies enforce after hours, validation happens with test accounts, and user-facing communications go out before any change a user could notice. The only visible change for most users is a one-time MFA enrolment prompt, which is communicated in advance with a how-to guide.

Can the $1,500 credit toward something?

Yes. If you convert to a Cyber Essentials, Cyber Essentials + Managed IT, or Cyber Premium retainer within 90 days of runbook delivery, the full $1,500 credits against your first month of managed services. The credit applies once per engagement.

Ready to harden the tenant in a week?

The scoping call is free, takes 30 minutes, and confirms fit before any fee is invoiced.

Schedule scoping call →Take the free Risk Report