Security That’s On By Default. Because The Threats Are.
- elijahhoyle
- 6 hours ago
- 4 min read
Why every CMS customer is now on a continuously managed Microsoft 365 security baseline and how the four Inforcer-powered packages step up from there.
Your live Secure Score, monitored continuously by the three Inforcer engines Identity & Tenant, Intune Device and Copilot Readiness 104 checks in total.
We made a decision this year that surprises some of our customers and reassures the rest of them. Rather than asking whether you’d like to be on a managed security baseline, we’ve enrolled every CMS customer onto one by default. You can opt out. Most won’t.
The reasoning is simple. An unmonitored Microsoft 365 tenant is a slow-moving target with very fast-moving attackers. Configuration drifts. Policies that were tight a quarter ago quietly relax. A new joiner, a new app, a new licence and the perimeter you signed off in January is not the perimeter you’re running in May.
“The shortest distance between a breach and a board meeting is an unmonitored M365 tenant.”
What “On By Default” Actually Means
Every CMS customer is now enrolled onto Foundation, the standard tier in our managed security campaign. It runs over Inforcer the policy management platform built specifically for managed service providers and connects to your Microsoft 365 tenant securely via GDAP.
From the moment Foundation goes live in your tenant, we’re monitoring for drift against the Microsoft Minimum Requirements baseline, tracking your Secure Score, watching your licence utilisation, and producing a branded monthly compliance report you can hand straight to a client, an auditor, or your board. If something slips, we know first and we put it back.
What’s Actually Being Monitored
Three automated assessment engines run continuously across your tenant. 104 distinct checks in total every one mapped to a real-world risk, not theatre.
ENGINE 01 | Identity & Tenant — 57 checks MFA coverage, Conditional Access, Privileged Identity Management, LAPS, authentication methods, guest access, admin permissions, and full SPF/DKIM/DMARC validation. The identity perimeter, watched in detail. |
ENGINE 02 | Intune Device — 26 checks Windows compliance (BitLocker, Secure Boot, TPM, Code Integrity), browser hardening across Edge, Chrome and Firefox, macro security, Protected View, SmartScreen, device enrolment controls, and telemetry settings. |
ENGINE 03 | Copilot Readiness — 21 checks Five workloads — identity, email, M365 admin, Purview, and SharePoint — every check mapped to a specific Copilot data-exposure risk. The check that answers the question every board now asks: ‘can we actually let Copilot near our data?’ |
Living Baselines, Not Frozen Ones
Microsoft moves. The threat landscape moves faster. So our baselines move with them. When Microsoft tightens a recommendation, retires an authentication path, or introduces a new control, we update the relevant baseline and it flows out to every customer on the matching package at no extra charge, with no separate project.
That alone changes the conversation. Security posture stops being a once-a-year audit moment and starts being something that just keeps pace with Microsoft and with the threats targeting their customers.
“The baseline you bought in January should not be the baseline protecting you in May. Ours isn’t.”
Four Packages. Same Platform. Increasing Depth.
Every package shares the same Inforcer platform, the same drift monitoring, the same monthly branded report, and the same Secure Score tracking. What changes between tiers is how deep we go, how#86C6E5 often we reassess, and how much advisory time wraps around the platform.
PACKAGE 01 | Foundation — £50 / tenant / month The opt-out standard. Maintains the Microsoft Minimum Requirements baseline — MFA, legacy auth blocked, restricted default permissions, high-risk country sign-ins blocked. Annual identity assessment, monthly drift monitoring, branded compliance report. Suitable for every customer, every sector. |
This is the opt-out option, but additional packages offering enhanced functionality are available. Please contact your account manager for more information.
Where Copilot Fits And Why Governance Is Suddenly Urgent
Are you aware that copilot readiness is included?
Most Copilot rollouts don’t stall because the technology is wrong. They stall because nobody is confident the data underneath is governed well enough to expose to it. Oversharing on SharePoint, unmonitored sensitivity labels, gaps in DLP these are the reasons Copilot pilots quietly shelve themselves.
The Copilot Readiness engine in Advanced and Compliance answers that risk head-on. Every check is mapped to a specific Copilot data-exposure scenario so the conversation moves from “should we?” to “here’s what we cleaned up before we did.”
How This Lands By Sector
No single tier is right for everyone. The right starting point usually tracks how regulated the data is, how distributed the device estate is, and how exposed the business would be if a Copilot rollout went wrong.
• Hospitality Foundation or Secure. Price-sensitive, lower regulatory burden, multi-site device estates often justify the Secure step up.
• Healthcare and NHS Compliance. DSPT obligations, patient data sensitivity, and cyber insurance requirements make Compliance the appropriate entry point.
• Manufacturing Secure or Advanced. OT/IT boundary risk, supply chain compliance pressure, and growing Copilot adoption move most mid-market clients into Advanced.
• Professional services and blue-chip Advanced or Compliance. Client contractual obligations, cyber insurance, and reputational sensitivity reward a fully managed, fully documented service.
Why We Made This Opt-Out
Plenty of providers offer managed security as an upsell a deck, a quote, a wait. The trouble is the gap. Between “we should” and “we have”, attackers get a window. So we’ve closed the window. Every customer is now on Foundation by default, with the option to move up the stack when the business case earns it.
We’d rather defend you than ask you whether to. That’s the campaign.
