Microsoft 365 Tenant Assessment
and Gap Analysis
An independent, structured review of your Microsoft 365 tenant against the Cyber Essentials controls and Konve IT's security baseline — delivered as a written report with a prioritised remediation plan.
A clear picture of where your Microsoft 365 tenant stands — before you commit to fixing it.
Most organisations using Microsoft 365 are not getting close to what they are paying for. Licences are in place. The tenant is running. But the security configuration is shallow, the compliance controls are absent, and the environment would fail a Cyber Essentials assessment without remediation work that nobody has yet scoped.
This assessment changes that. Konve IT conducts a structured review of your entire Microsoft 365 tenant and produces a written report that tells you precisely where you stand, what the gaps are, how serious each one is, and what needs to happen to close them. No implementation. No obligation to proceed. Just an honest assessment from a senior practitioner.
The report is produced against two standards simultaneously: the five Cyber Essentials technical controls, and the Konve IT Microsoft 365 security baseline. The overlap is significant — fixing one largely fixes the other — which means the assessment serves as the foundation for any further engagement, whether that is a tenant hardening project, a Cyber Essentials programme, or simply a prioritised internal remediation programme managed by your own team.
Cyber Essentials Controls
Assessed against all five controls: firewalls, secure configuration, user access control, malware protection, and patch management.
Identity and Access
MFA enforcement status, Conditional Access policy coverage, admin account governance, and guest access configuration.
Security Configuration
Microsoft Defender for Business activation and baseline, Purview sensitivity labelling, audit logging, and anti-phishing policy.
Data Governance
SharePoint and OneDrive permissions structure, external sharing policy, retention configuration, and data loss prevention coverage.
Email Authentication
SPF, DKIM, and DMARC record status — the email authentication controls most frequently absent and most frequently exploited.
Teams and Collaboration
Teams governance policy, meeting controls, guest access settings, and channel sharing configuration.
One report. Everything in it.
The Gap Analysis Report is delivered in PDF format within ten working days of commencement, subject to receiving the access and information described in the questionnaire. It contains five sections.
Executive Summary
A concise summary of the overall security posture, written for a non-technical audience. Suitable for board or partner review.
Cyber Essentials Assessment
A structured pass or fail finding against each of the five Cyber Essentials controls, with the specific evidence supporting each finding.
Security Baseline Assessment
Assessment against the Konve IT Microsoft 365 security baseline, covering identity, endpoint protection, data governance, and collaboration controls.
Prioritised Remediation Plan
Every gap identified, rated Critical, High, or Advisory, with the specific remediation action required and an indicative effort level for each item.
Findings Presentation
A sixty-minute remote session with your nominated contact to walk through the findings, answer questions, and discuss the recommended next steps.
Certification Readiness Statement
A plain statement of whether your tenant, at the date of assessment, would pass or fail a Cyber Essentials self-assessment — and a recommendation on the right next step.
Four situations where this assessment is the right starting point.
If you recognise your organisation in any of these, this assessment is designed for you.
You have a Microsoft 365 tenant but no confidence in its security configuration.
The tenant was set up years ago, possibly by a previous IT provider, and has never been formally reviewed. You know there are gaps. You do not know how serious they are or where to start. This assessment tells you both.
You are preparing for Cyber Essentials and want to understand your position before committing to a programme.
Cyber Essentials requires your Microsoft 365 environment to pass five technical controls. Before investing in a full certification programme, you want an honest assessment of where you stand and how much remediation work is likely to be required.
You are a law firm or professional services firm and your regulatory obligations intersect with your Microsoft 365 configuration.
SRA, ICAEW, RICS, or FCA obligations require your data handling environment to be appropriately governed. You need an assessment that understands these obligations, not just the technical controls in isolation.
You are about to change IT provider and want an independent view of your current environment.
Before committing to a new MSP or bringing IT management in-house, you want to understand the current state of your environment — what has been configured, what has been neglected, and what the new arrangement needs to address.
This is an assessment and reporting engagement. No configuration changes are made to your tenant during or after the assessment unless you proceed to a separate engagement.
- Implementation, remediation, or configuration of any kind
- Cyber Essentials certification or submission support
- Assessment of systems outside your Microsoft 365 tenant
- Assessment of on-premise servers or networking equipment
- Procurement or payment of Microsoft 365 licences
- Ongoing management or monitoring of the tenant
- ISO 27001 readiness assessment
- Follow-on work arising from the findings (separate engagement)
One flat fee. No variables.
Unlike most Konve IT services, this assessment carries no per-user component. The fee is the same whether your tenant has five users or fifty.
Microsoft 365 Tenant Assessment and Gap Analysis
- Structured assessment of your Microsoft 365 tenant against Cyber Essentials controls and the Konve IT security baseline
- Gap Analysis Report in PDF — executive summary, structured findings, prioritised remediation plan, and Cyber Essentials readiness statement
- Sixty-minute remote findings presentation with your nominated contact
- Delivered within ten working days of commencement
- Payable in full upfront — no milestone billing
Three steps from enquiry to report.
No scoping calls required before commitment. The process is straightforward by design.
Complete the onboarding form
Download and complete the Konve IT Client Onboarding Form. This gives us the organisation and contact details we need to open your client file and issue a Statement of Work.
Complete the service questionnaire
Download and complete the Microsoft 365 Tenancy Questionnaire, selecting the Assessment variant. This captures the technical details — your tenant URL, the access you will provide, and the scope of the review.
Review and sign the Statement of Work
Konve IT will review your questionnaire responses and issue a Statement of Work within two working days. On signature and receipt of payment, the assessment commences.