M365 apps we actively manage
Before vs after IT Works managed M365
Default setup
MFA is inconsistent, conditional access is missing, permissions drift, and licensing is unmanaged.
IT Works managed setup
Identity controls are enforced, collaboration is governed, backup is validated, and licensing is optimized monthly.
Microsoft 365 for Calgary businesses properly configured, actually secure
Most Calgary businesses are running M365 with default settings from day one which means unprotected mailboxes, over-permissioned users, and backups that don't exist. We run M365 the right way.
What we see in most M365 tenants
We audit Microsoft 365 environments for new clients. The pattern is consistent. The tenant was set up months or years ago. It's been running on autopilot ever since. Here's what we typically find:
- × No MFA enabled Users log in with just a password. If someone's password is stolen, the attacker owns the account.
- × Shared admin accounts The global admin password is known by multiple people. Anyone with that password can delete everything.
- × No conditional access Users can log in from anywhere. If a password is compromised, an attacker can access M365 from Russia or China without triggering suspicion.
- × Teams channels with unrestricted access Teams are set to public. Anyone in the organization can join any channel. Sensitive project data is visible to people who shouldn't see it.
- × Licensing mismatches You're paying for licenses that nobody uses, or people need features you haven't licensed for them.
- × No backup strategy Files are stored in OneDrive and SharePoint. That's not a backup. If someone deletes everything or ransomware strikes, it's gone.
The common thread: M365 was never properly hardened. It's working, sure. But it's not secure. And if something goes wrong, there's no recovery plan.
What we manage in M365
M365 Security Hardening
We configure your tenant from the ground up. MFA is enforced. Conditional access policies require extra verification for risky logins. Password policies are strong. We enable DLP rules to prevent data loss. Admin accounts are restricted. Your mailbox and data are protected.
User & Identity Lifecycle
When someone joins your company, we provision their M365 account and grant access to teams, projects, and apps. When they leave, we immediately disable access, archive their mailbox, and transfer files to their manager. No lingering access. No abandoned accounts.
Teams, SharePoint & OneDrive
We set up Teams channels with appropriate privacy settings and access controls. We configure SharePoint libraries so only the right teams can access the right content. OneDrive is set up for personal files with proper retention and recovery settings.
Licensing Management
We audit your licenses monthly. We see what you're using, what you're not using, and what you should upgrade. We optimize your licensing so you pay for what you need without overpaying. Scale up or down as your team changes.
Cloud Backup & Recovery
We implement proper backup for Microsoft 365. Data is backed up separately from your M365 tenant, stored in a secure location, and regularly tested for recovery. If something is deleted or encrypted, we can restore it without relying on Microsoft.
Microsoft 365 is not a backup
This is the most important thing to understand. Many businesses think, "Our data is in Microsoft 365, so it's safe." It's not.
M365 is a storage platform, not a backup.
Here's why:
- Deletion is permanent If someone accidentally deletes a file from SharePoint or OneDrive, it goes to recycle. After 93 days, it's gone forever. Microsoft doesn't keep older versions indefinitely.
- Ransomware encrypts everything If ransomware gets into your M365 tenant, it encrypts files in OneDrive and SharePoint just like it would on a local drive. Your "backup" is now encrypted and useless.
- Admin compromises are catastrophic If an attacker compromises your global admin account, they can delete everything. Permanently. There's no recovery because M365 itself doesn't keep an immutable backup.
- Data loss from misconfiguration A bad script, a user error, a policy change any of these can wipe data. M365 won't undo it.
A proper backup meets three requirements:
- It's separate from the primary system
- It's immutable once written, nobody can delete or modify it
- It's tested regularly so you know it actually works
M365 alone meets none of these criteria. That's why we implement separate backup. We store M365 data in an external backup system, test recovery regularly, and keep multiple versions. If something bad happens, we can restore from a known good state.
Microsoft 365 for Calgary industries
Legal & Accounting Firms
Client confidentiality is critical. We configure M365 with strong access controls so only authorized staff see client files. We ensure audit trails are maintained for compliance and client information is protected.
Healthcare Organizations
PIPEDA requires you to protect patient data. We configure M365 with encryption, access controls, and audit logging. Patient files are accessible only to authorized staff. We maintain compliance documentation.
Energy & Oil/Gas Companies
Operational data and project information are sensitive. We set up M365 so teams can collaborate securely. We restrict access by project, enforce approval workflows, and maintain audit trails for compliance.
Construction & Engineering Firms
Project data, blueprints, and specifications are intellectual property. We configure SharePoint with appropriate access controls. Teams channels are restricted to project teams. Data is protected and audit trails are maintained.
Financial Services
Financial data requires compliance and security. We harden M365 with strong authentication, conditional access, and DLP rules. We maintain audit trails and ensure you're ready for audits and inspections.
Frequently asked questions
What is M365 security hardening?
M365 comes with default settings that are not secure. We configure conditional access policies, enforce MFA, set strong password policies, restrict Teams channel access, and configure DLP (Data Loss Prevention) rules. We harden the tenant so that access is controlled and data is protected.
Why doesn't Microsoft 365 count as a backup?
M365 stores your data in Microsoft's cloud, but it's not a backup. If you accidentally delete a file, it's gone. If ransomware encrypts your OneDrive, all your backups are encrypted too. If an admin is compromised, they can delete everything. A backup must be separate, immutable, and restore-tested.
What is conditional access?
Conditional access is a set of rules that require extra verification when someone logs in from unusual locations or devices. For example, if someone tries to access M365 from a new country at 3 AM, conditional access can require them to approve the login on their phone first. It stops attackers with stolen passwords.
Do we need to buy new licenses when you take over M365?
No. We work with your existing licenses. We often find that you're either over-licensed or under-licensed. We audit your licenses and optimize them so you pay for what you actually use. No surprises, no forced upgrades.
How do you manage user access when people join and leave?
We implement onboarding and offboarding processes. When someone joins, we create their M365 account and provision access to Teams, SharePoint, and other apps on day one. When someone leaves, we immediately disable access, archive their mailbox, and transfer ownership of their files. No lingering access, no orphaned accounts.
Get a free Microsoft 365 security review
We'll audit your M365 tenant and show you what's working and what needs to change.
Book Free M365 Review