AI assistant — not human

Identity + Entra + Defender XDR + Purview + Intune + Copilot governance + Secure Score + compliance mapping. Three-week fixed-fee assessment $85K-$245K.
Last updated July 9, 2026 by Errin O'Connor, Founder & Chief AI Architect, EPC Group
Comprehensive M365 security assessment covers 7 domains: Identity + Access + Endpoint + Device + Email + Collaboration + Data Protection + Threat Detection + Cloud Apps + AI Governance. Seven deliverables including Secure Score baseline + prioritized roadmap + full config inventory + compliance mapping + threat model + insider risk baseline + board briefing. Uses 8 Microsoft-native + CIS Benchmark tools. Three-week fixed-fee $85K-$245K. Maps to CMMC 2.0 + HIPAA + SOC 2 + NIST CSF 2.0 + FedRAMP + ISO 27001. Typical Secure Score improvement 45-55% baseline → 75-85% within 90 days.
Seven assessment domains covering the full Microsoft 365 + Entra + Azure security surface: (1) Identity + Access — Entra ID configuration, MFA + phishing-resistant methods, Conditional Access policy audit, PIM + JIT, guest access controls, service account inventory. (2) Endpoint + Device — Intune configuration, device compliance policies, autopatch posture, BitLocker + FileVault status, USB + external media controls. (3) Email + Collaboration — Exchange Online Protection + Defender for Office 365 configuration, safe attachments + safe links + anti-phishing policies, Teams + SharePoint external sharing baselines. (4) Data Protection — Purview sensitivity labels, DLP policies, oversharing detection, retention labels + records management, insider risk management. (5) Threat Detection — Defender XDR (Endpoint + Identity + Cloud Apps + Office) configuration, Sentinel SIEM integration, custom detection rules, incident response playbooks. (6) Cloud Apps — Defender for Cloud Apps discovery + policies, shadow IT inventory, sanctioned/unsanctioned app enforcement. (7) AI + Copilot Governance — Copilot for M365 access controls, sensitivity respect verification, oversharing detection tuning, DSPM for AI configuration.
Seven concrete deliverables: (1) Executive summary scoring assessment against Microsoft Secure Score + CIS Microsoft 365 Foundations Benchmark + NIST CSF 2.0. Typical target: Secure Score improvement from 45-55% baseline to 75-85% within 90 days. (2) Prioritized remediation roadmap — 30-60-90 day phased plan with effort + risk-reduction scores per remediation item. (3) Full configuration inventory — all Entra + Exchange + Defender + Purview + Intune settings documented as-configured with recommended target-state. (4) Compliance mapping — findings mapped to CMMC 2.0 Level 2/3, HIPAA Security Rule, SOC 2 Type 2 CC controls, FedRAMP Moderate/High baselines. (5) Threat modeling report — highest-risk attack paths with concrete detection + prevention recommendations. (6) Insider risk baseline — inventory of high-risk user + data flow patterns requiring monitoring. (7) Board-ready executive briefing deck — quantified risk reduction + investment + ROI. Fixed-fee $85K-$245K depending on tenant size.
Eight Microsoft-native + third-party tools: (1) Microsoft Secure Score — baseline against Microsoft benchmark + peer comparisons. (2) Microsoft Compliance Manager — mapping to compliance frameworks with improvement recommendations. (3) Defender XDR Portal — configuration + alerts + custom detection review. (4) Purview Compliance Portal — sensitivity + DLP + insider risk + records posture. (5) Microsoft Sentinel Content Hub — SIEM-side detection rule catalog for M365 telemetry. (6) Entra ID Configuration Analyzer — misconfigurations + best-practice deviations. (7) CIS Microsoft 365 Foundations Benchmark v3.x — 200+ security configuration controls. (8) Custom EPC Group audit scripts — PowerShell + Graph API + Defender API + Purview API to inventory all configurations programmatically (not manual clicking-through-portals). Cross-tool: Microsoft Purview DSPM for AI + Copilot Studio governance for AI-specific controls.
Three-week fixed-fee timeline: (1) Week 1 Discovery — kickoff, credential provisioning, automated configuration inventory (Graph + Defender + Purview APIs), organizational context gathering, existing incident + audit report review. (2) Week 2 Analysis — Secure Score + CIS Benchmark scoring, threat model development, compliance framework mapping, insider risk baseline, findings correlation. (3) Week 3 Delivery — remediation roadmap prioritization, executive summary + technical detail report writing, board briefing deck creation, findings review call, remediation kickoff planning. Assessment is $85K-$245K depending on tenant size + workload count + compliance frameworks in scope. Follow-on remediation engagement is separately scoped, typically $185K-$785K.
Seven high-frequency findings across EPC Group assessments: (1) MFA gaps — service accounts + break-glass accounts + shared mailboxes without MFA, or MFA using weak methods (SMS/voice) instead of phishing-resistant (FIDO2/Windows Hello). (2) Conditional Access gaps — policies missing device compliance requirement, or with excessive "exclude this admin" overrides that turn into permanent bypasses. (3) PIM not enforced — global admins + eligible role assignments not using PIM + JIT, creating standing privilege. (4) Guest access sprawl — thousands of guest accounts inactive but retaining access to sensitive Teams + SharePoint sites. (5) Oversharing accumulation — "Everyone except external users" permissions on 20-40% of SharePoint content, making Copilot leak content across departments. (6) Defender for Office 365 gaps — Safe Links + Safe Attachments not enforced on all users, or Priority Account Protection not configured for executives. (7) Insider risk not deployed — Purview Insider Risk Management not configured, missing signals for data exfiltration + departing employee risk.
Six compliance framework mappings included by default: (1) CMMC 2.0 Level 2/3 — 110 practices for Level 2, additional 24 for Level 3. Findings mapped to specific CMMC practices (AC.L2-3.1.1 through SC.L2-3.13.16). (2) HIPAA Security Rule — Administrative, Physical, Technical safeguards mapped to Entra + Defender + Purview controls. (3) SOC 2 Type 2 — Trust Services Criteria CC1-CC9 mapped to M365 configuration + monitoring evidence. (4) NIST CSF 2.0 — Identify + Protect + Detect + Respond + Recover functions mapped with specific control identifiers. (5) FedRAMP Moderate/High — for GCC + GCC High tenants, ATO evidence collection + POA&M input. (6) ISO 27001 Annex A — mapped for organizations with existing ISMS. Cross-framework: findings deduplicated so one misconfiguration + fix maps to multiple framework requirements — reducing remediation effort 40-60% vs siloed audits per framework.
EPC Group's M365 security assessment practice is anchored by Founder & Chief AI Architect Errin O'Connor and delivered by senior consultants with 15-20+ years continuous Microsoft ecosystem experience + relevant vertical + compliance framework depth. Credentials: (1) Microsoft Solutions Partner in Security designation (one of six earned by fewer than 200 global partners). (2) 29 years continuous Microsoft ecosystem delivery — Errin O'Connor has architected security + compliance for Fortune 500 healthcare + financial services + defense + government tenants since Windows NT + Exchange Server + SharePoint 2001 era. (3) Cross-vertical proof across CMMC + HIPAA + SOC 2 + FedRAMP + PCI DSS engagements. (4) US-only senior bench — no offshore delivery for regulated tenants. (5) Microsoft Press bestselling author on SharePoint + Power BI + Azure + large-scale migrations — reference material for enterprise Microsoft security architects. Assessments delivered under fixed-fee scope with named senior consultant commitment + executive sponsorship + 30-day remediation roadmap guarantee.
30-min qualification. Fixed-fee 3-week assessment kickoff within 10 business days. Call (888) 381-9725.
Monday-Friday, 8 AM - 7 PM CT
We respond to all inquiries within one business day