Microsoft 365 Security · Entra ID · Bremen
Microsoft 365 properly secured – from migration to secure operations. Structured migration & hardening of your tenant.Copilot readiness, Entra ID & Data Loss Prevention.
Many mid-sized companies use Microsoft 365 merely as an expensive email replacement – often without a functioning security concept. I migrate your data losslessly into the cloud and configure Microsoft 365 as a highly secure ecosystem: with Conditional Access (Zero Trust), protection against data exfiltration (Purview DLP), and a clean permission structure so that AI (Copilot) does not suddenly make board emails visible to everyone.
Free initial consultation (30 minutes)
How vulnerable is your cloud data?
Four business-critical questions for executives and IT leadership. If you hesitate here, your tenant is an open door for data exfiltration and account takeovers.
Are you certain that only employees access your company emails?
A simple password is no longer enough – and neither is MFA alone. Modern phishing (AiTM) uses proxy pages that forward the MFA confirmation in real time and then capture the session token. The attacker is in before your network notices anything. Only Conditional Access with device compliance blocks this reliably.
Do you know who has external access to confidential SharePoint documents?
Sharing links is easy, revoking them is often forgotten. Without clean SharePoint governance (sharing restrictions, expiring links, access reviews) and content protection (Purview Sensitivity Labels), you lose track of who can read which data – and when that access ends.
Are you ready for M365 Copilot, or will the AI soon read HR data?
Copilot finds everything a user theoretically has access to. In historically grown tenants with excessive permissions, introducing AI can lead to confidential financial or HR data suddenly becoming searchable for all employees.
Do you rely on Microsoft to back up your cloud data?
Microsoft guarantees server availability (SLA), but offers no true granular backup service once the short recycle bin retention expires (Shared Responsibility). An external cloud backup is absolutely mandatory.
An unconfigured tenant is a liability risk
The default settings ("Next, Next, Finish") of Microsoft 365 are designed for maximum usability – not security. You only feel the consequences when damage occurs.
GDPR violations & data exfiltration
If employees download sensitive customer data unencrypted to personal devices or distribute it via share links, hefty fines loom. Without technical guardrails (DLP), data protection is pure luck.
Business Email Compromise (BEC)
Business Email Compromise is the most lucrative form of attack. Criminals take over the CEO's mailbox, read along for months, and then divert payment streams from forged invoices.
Compliance & Cyber Insurance
Insurers demand strictly enforced Multi-Factor Authentication (MFA) and proof of external cloud backups as an absolute baseline. If these measures are missing, your insurance coverage is void.
How I build Microsoft 365 into a security fortress
I transform M365 from a mere software collection into a strictly controlled Zero Trust ecosystem.
Identity Protection & Zero Trust
Entra ID · Conditional Access
I tie the login to hard conditions: M365 access is only granted if the risk is low, MFA is provided, and (optionally) the company device is marked as "Compliant" (Intune). This effectively blocks session theft.
Advanced Protection against Phishing & Malware
Defender for Office 365 · Safe Links
Standard spam filters are not enough. I implement Defender for Office 365: Safe Attachments analyses attachments in an isolated sandbox before they reach the inbox – malicious attachments are blocked before any employee can open them. Safe Links checks URLs at click time against live threat intelligence.
Information Protection & DLP
Microsoft Purview · Sensitivity Labels
Sensitive data (e.g., "Strictly Confidential") is classified and encrypted. This ensures a document remains unreadable even if it is accidentally emailed to the wrong recipient.
Copilot Readiness (Permission Audit)
SharePoint Governance · Access Reviews
Before you activate AI, we clean up. I audit SharePoint permissions and remove orphaned external links, ensuring Copilot only finds exactly what is intended for the respective user.
Mobile Device Management (MDM/MAM)
Intune · Bring Your Own Device (BYOD)
Endpoints are the biggest gateway for attacks today. We manage Windows clients and smartphones centrally via Intune. App Protection Policies (MAM) separate corporate data in M365 apps from personal apps – data transfer between managed and unmanaged apps is blocked, without taking full control of the personal device.
Secure Migration without Downtime
Exchange Online · Cutover/Hybrid
I migrate your on-premises Exchange losslessly to the cloud – including emails, calendar, and contacts. For older mail systems or Google Workspace as the source, I use the right tools to transfer all data completely. Including SPF/DKIM/DMARC and fallback plans.
Deep engineering in the Microsoft Cloud
M365 security is not just clicking around the Admin Center. I configure your system according to established enterprise security baselines (CIS / Microsoft Best Practices) and use advanced automation.
My Microsoft 365 Stack
Entra ID Identity Protection
We use risk-based policies. If Entra ID detects "impossible travel" (e.g., login from Bremen and 5 minutes later from Asia), the session is hard-terminated and a password reset is enforced.
Data Loss Prevention (DLP)
I build Purview DLP policies that block the unencrypted transmission of credit card numbers, IBANs, or specific project IDs at the transport level.
Exchange Online Hardening
Strict enforcement of Modern Authentication and blocking of high-risk legacy protocols via Conditional Access. Clean configuration of SPF, DKIM, and DMARC (Strict mode) so your emails are guaranteed to be delivered.
Automation & Graph API
I do not roll out policies by hand. I use standardized PowerShell scripts and the Microsoft Graph API to ensure reproducible and documented configuration states.
I am not a Microsoft license seller. I do not earn from CSP margins. My job is to extract the maximum security level from your existing licenses (e.g., Business Premium or E3/E5).
Structured deployment, no flying blind
Whether a new migration or tenant hardening: Changes in the cloud require precision, as they affect all users immediately. My process guarantees predictability.
Tenant Security Audit & Secure Score
Analysis of the current state: We check the Microsoft Secure Score, identify outdated protocols, open shares, and unnecessary licenses. You receive a prioritised report: what is critical, what can wait, and what can be activated immediately from existing licenses.
Security Baseline Design
Drafting the Conditional Access rules and device compliance specifications. Important: We define a "Break-Glass" concept (emergency admin) so you never lock yourself out of the tenant.
Staged Rollout & Migration
Security features and migrations are applied to pilot users in phases. Policies initially run in "Report-Only" mode to validate the impact on user experience.
Documentation & Handover
You receive full tenant documentation. I set up a cloud-to-cloud backup with a third-party provider of your choice – external backup is one of the baseline requirements for cyber insurance and compliance.
Independent Cloud Architecture for SMEs
I bring proven corporate security standards to your company – transparently, at eye level, and without the license sales targets of a system house.
Experience from critical environments
In my main job, I administer IT infrastructures in the European aerospace sector under the highest data protection requirements. I bring this standard of security and precision to your M365 tenant.
License Optimization & Right-Sizing
SMEs often pay for features they never activate. I analyze your requirements and recommend exactly the license tier (e.g., Business Premium vs. E3) that offers the best cost-benefit ratio.
Security as a baseline, not an add-on
MFA, Defender, and Conditional Access are not optional services for me. They are the mandatory foundation of every migration or hardening project.
Seamless Documentation
Every configured policy is documented. No vendor lock-in, no "knowledge in my head". Your internal IT team can take over and operate the tenant immediately.
Direct line to the Engineer
You talk directly to me – the Engineer who plans the migration, configures Entra ID, and writes PowerShell if needed. No project manager overhead.
Bremen & Remote
On-site in Bremen and northern Germany for workshops and analyses, remote for configuration engineering and nightly migration cutovers.
The before-and-after comparison
An uncontrolled email tenant becomes a compliant, secure, and AI-ready data platform.
A stolen password is all it takes for full access to all corporate data.
Access only with MFA and ideally only from Intune-managed corporate devices.
External service providers have permanent access to outdated SharePoint links.
Automated guest lifecycle management and cleanup of orphaned external shares.
Emails often end up in recipients' spam folders (missing authentication).
Clean reputation: SPF, DKIM, and DMARC correctly configured – DMARC set to enforcement (p=reject).
Danger that M365 Copilot exposes sensitive board data to all employees.
Copilot-Ready: Permissions are audited, Purview Sensitivity Labels protect documents.
Accidentally deleted files are eventually gone for good without an external backup – Microsoft's own recycle bin is not a backup substitute.
External cloud backup enables recovery even after ransomware, sabotage, or accidental mass deletion – independent of Microsoft's own retention window.
Fear of failing an NIS2 audit or cyber insurance check.
Documented "state of the art" according to CIS baselines – audit and insurance ready.
What you are probably wondering
Clear answers to the most important questions about M365 migrations and cloud security.
Yes, absolutely. Many companies were migrated to the cloud by service providers without features like Entra ID Conditional Access, Defender, or Intune ever being configured. An audit immediately shows what gaps you have and how we can fully utilize your existing licenses for better security.
No. I am intentionally not a Microsoft CSP (Cloud Solution Provider). This means: I receive no margins for selling licenses. You continue to purchase your licenses through your usual system house or directly from Microsoft. This guarantees you 100% independent advice on "right-sizing" (e.g., downgrading to cheaper plans if features are not needed).
That is the biggest risk right now. Copilot respects your M365 permissions. If permissions were granted generously in the past ("everyone can read everything"), any employee can now have AI summarize salaries or strategy papers in seconds. A permission cleanup before the Copilot rollout is essential.
No, if the migration is planned cleanly. I perform mailbox migrations in parallel operation: During the migration, emails continue to flow in both directions. The actual cutover (switching the DNS/MX records) takes place in a maintenance window on the weekend or at night.
A system house often simply sets up mailboxes. My focus is Cloud Security Architecture. I configure the "underneath": Intune for device management, Purview for Data Loss Prevention, and deep Entra ID security policies that stop ransomware and phishing attempts at the architectural level.
No. Microsoft ensures the availability of the data centers (SLA), but not your data (Shared Responsibility). Relying on the internal recycle bin leaves you without a reliable safety net in the event of ransomware, employee sabotage, or accidental mass deletion. An external third-party backup is a mandatory requirement for every company.
This varies considerably depending on your starting point and company size. An Exchange migration for a smaller company (up to ~50 mailboxes) is typically completed within 6–10 weeks. For 100+ mailboxes, hybrid setups, or when Entra ID, Defender, and Intune are being built out simultaneously, plan for 10–16 weeks. Since I deliver projects outside my regular working hours, coordination cycles and minor change loops are already factored in – which means no rushed decisions and no surprises.
Your Microsoft 365 was spun up quickly back then – the main thing was that it worked. Default settings were left in place, licenses handed out generously. Since then, no one has systematically looked at who actually has access to what – and whether that is even still justifiable.
Who has admin rights in your tenant?
How many global administrators does your company currently have? And how many of them hold these rights only because, at some point, no one had the time to revoke them again?
What path does your cloud traffic take out of your premises?
Microsoft 365 communicates outward non-stop. But who actually defines the paths by which this data leaves your premises – and who controls what really happens within that data stream?