Microsoft 365 Compliance-Aligned Tenant Remediation — Konve IT

Konve IT / Microsoft 365

Two-phase project  ·  Existing tenant  ·  Milestone payment

Microsoft 365
Compliance-Aligned
Tenant Remediation

Your Microsoft 365 tenant, assessed against the Cyber Essentials controls and the Konve IT security baseline — and then fixed. Not a report. A documented, verified remediation with every change recorded.

Existing tenant — no migration required Remediation Plan approved before work begins Every change documented
Get a quote How it works

Indicative Pricing

Base fee (up to 10 users) £1,200 Exclusive of VAT
Per user above 10 — standard £65 / user
Per user above 10 — volume (25+) £59 / user 10% discount at 25+ users

Example: 20-user firm — £1,200 + (10 × £65) = £1,850 + VAT

Payment: 50% on commencement · 50% on completion

Note: If Phase 1 reveals significantly more work than anticipated, Konve IT will present a revised fee before Phase 2 commences.

What this service is

Your tenant, governed. Not a rebuild — a remediation with a documented outcome.

Most organisations on Microsoft 365 have a tenant that works well enough day-to-day but has never been properly governed. Licences were assigned, email works, Teams is running — but the security configuration underneath is shallow, the Conditional Access policies are absent or misconfigured, Defender is not activated, permissions have drifted, and the environment would fail a Cyber Essentials assessment without significant work.

This engagement addresses that without requiring a new tenant or a data migration. Konve IT assesses the existing environment against the Cyber Essentials controls and the Konve IT security baseline, produces a Remediation Plan identifying every gap and the specific action required to close it, and then implements those actions — with every configuration change documented in a written Remediation Record.

The result is an existing tenant that is governed, documented, and defensible — against a Cyber Essentials assessor, a regulatory audit, or a board that wants evidence that the organisation's technology environment meets an appropriate security standard.

Which engagement is right for you?

Remediation
Deployment
Tenant exists?
Yes — remediating existing configuration
New or full rebuild
Data migration?
No — data stays in place
No — new deployment only
Volume of gaps?
Targeted — specific gaps to close
Comprehensive rebuild from baseline
Base fee
£1,200
£1,800
Best for
Tenant that needs fixing, not replacing
New start or full rebuild required
Scope of work

Two phases. Assess first, fix second.

The remediation is scoped by the assessment. Konve IT does not begin remediation work without a Remediation Plan that you have reviewed and approved in writing. You know what is being changed, and why, before it happens.

Phase 01 Assessment

A structured assessment of the existing tenant — the same scope as the standalone Tenant Assessment and Gap Analysis.

  • Assessment against all five Cyber Essentials controls: firewalls, secure configuration, user access control, malware protection, and patch management
  • Assessment against the Konve IT Microsoft 365 security baseline — identity, endpoint protection, data governance, email authentication, and collaboration controls
  • Production of the Remediation Plan: every gap identified, severity rated Critical, High, or Advisory, specific remediation action required, and a before-and-after comparison
  • Client written approval of the Remediation Plan before Phase 2 commences

If you have completed a Konve IT Tenant Assessment and Gap Analysis within the preceding six months, Phase 1 may be abbreviated to a review of changes since that assessment, at Konve IT's discretion.

Phase 2 does not commence without your written approval of the Remediation Plan
Phase 02 Remediation

Implementation of every action confirmed in the approved Remediation Plan — nothing more, nothing less.

The specific configuration changes made in Phase 2 depend on what Phase 1 finds. The remediation areas below represent the full scope of what may be addressed. Only those confirmed in the approved Remediation Plan are included in the fee.

Remediation areas

What the remediation may cover.

These are the six areas most commonly requiring remediation in ungoverned Microsoft 365 tenants. The Phase 1 assessment determines which apply to your environment and to what extent.

Area 01

Identity and Access

  • MFA enforcement — all accounts, no exceptions
  • Conditional Access policy redesign and implementation
  • Stale, orphaned, and ungoverned account remediation
  • Admin account separation and privileged identity management
  • Guest access governance and external sharing controls
Area 02

Email Authentication

  • SPF record audit and remediation
  • DKIM signing configuration for Exchange Online
  • DMARC policy configuration — progressing to enforcement
  • Anti-spam and anti-phishing policy hardening
Area 03

Microsoft Defender

  • Activation where not already active
  • Configuration to the Konve IT security baseline
  • Endpoint protection policy gap remediation
  • Threat detection and alerting configuration
Area 04

Microsoft Purview

  • Audit logging activation where not already active
  • Sensitivity label configuration or remediation
  • Data loss prevention policy implementation or remediation
Area 05

SharePoint and OneDrive

  • External sharing policy remediation
  • Permissions governance and inheritance correction
  • Overly permissive site and folder access remediation
  • OneDrive sharing configuration hardening
Area 06

Microsoft Teams

  • Guest access control remediation
  • Meeting policy hardening
  • Ungoverned team and channel remediation where a data governance risk exists
Not all six areas will require remediation in every engagement. Konve IT does not remediate areas that are already correctly configured — the Remediation Plan only includes work that is genuinely needed. The fee reflects the actual scope identified in Phase 1, not a standard package applied regardless of your tenant's state.
What you receive

Two written deliverables. One handover session.

The Remediation Plan before Phase 2 begins. The Remediation Record on completion. Both in PDF, both designed to be presented to a regulator, auditor, or board.

Remediation Plan

Produced at the end of Phase 1. Identifies every gap, its severity rating (Critical, High, or Advisory), the specific remediation action required, and a before-and-after comparison for each control area. Requires your written approval before Phase 2 commences.

Remediation Record

Produced on completion of Phase 2. Documents every configuration change made, a before-and-after comparison for each change, and a statement of alignment with Cyber Essentials controls following remediation. Suitable for regulatory review and compliance evidence.

Administrator Handover Session

A sixty-minute remote session with your nominated administrator on completion, covering the changes made and routine operational procedures going forward.

Who this is for

Organisations with an existing tenant that needs governing, not replacing.

This engagement is specifically for organisations that already have a Microsoft 365 tenant in use. If you need a new tenant deployed from scratch, or if you are migrating from a legacy environment, those are separate engagements.

Situation 01

Your Microsoft 365 tenant has never been formally reviewed and you are approaching a Cyber Essentials assessment.

The assessment will identify gaps. This engagement closes them. For clients who have completed a Konve IT Tenant Assessment within the preceding six months, Phase 1 can be abbreviated — you are not paying twice for the gap analysis work.

Situation 02

Your previous IT provider configured your tenant and you have no confidence in what they actually did.

Many organisations inherit a Microsoft 365 configuration they did not design, cannot document, and cannot defend. This engagement assesses what exists and remediates what falls short — with a written record of everything that was changed and why.

Situation 03

You are a law firm or professional services firm whose IT environment is subject to a regulatory review.

SRA, ICAEW, or GDPR audit requirements mean you need to demonstrate that your technology environment meets an appropriate standard. The Remediation Record produced by this engagement provides that documentation — a written, dated record of what your tenant's security configuration looks like and when it was last reviewed.

Situation 04

Your Tenant Assessment and Gap Analysis has returned a prioritised remediation plan and you want Konve IT to implement it.

The Tenant Assessment is the natural precursor to this engagement. If you have a Gap Analysis Report in hand, Phase 1 can be abbreviated significantly. Contact Konve IT to discuss how the assessment findings translate into a remediation scope and fee.

What this service does not include

Anything below that arises from the Phase 1 assessment will require either a separate engagement or a written change order before Konve IT proceeds.

  • New tenant creation or data migration of any kind
  • Remediation of areas not confirmed in the Remediation Plan
  • Advanced email security — Mimecast or Proofpoint
  • Intune device enrolment and endpoint management
  • Cyber Essentials certification submission
  • Procurement or payment of Microsoft 365 licences
  • Configuration of hardware or on-premise servers
  • Helpdesk, end-user support, or break-fix
  • Ongoing management following completion
  • ISO 27001 readiness or ISMS design
Pricing

Base fee plus per-user above ten.

The lower base fee compared to Tenant Deployment reflects that remediation targets specific gaps in an existing environment rather than configuring all six workstreams from scratch. The actual scope — and therefore the actual effort — is determined by Phase 1.

Microsoft 365 Compliance-Aligned Tenant Remediation

Project fee structure Excl. VAT
Base feeCovers fixed overhead · includes up to 10 users £1,200
Per user above 10 — standard rate £65 / user
Per user above 10 — volume rateApplies where 25 or more users confirmed £59 / user
Example calculations Excl. VAT
10 users £1,200
20 users£1,200 + (10 × £65) £1,850
30 users — volume rate£1,200 + (20 × £59) £2,380
50 users — volume rate£1,200 + (40 × £59) £3,560
If Phase 1 reveals more than expected: Where the Phase 1 assessment finds that the volume or complexity of remediation work is materially greater than anticipated, Konve IT will notify you in writing before commencing Phase 2 and present a revised fee. You may accept the revised fee, narrow the scope to remain within the original fee, or terminate — with the first instalment retained to cover Phase 1 work completed.

Payment Milestones

Milestone 1
On commencement
50%

Due before Phase 1 begins. Covers the assessment and Remediation Plan production.

Milestone 2
On completion
50%

Due on completion of Phase 2 and delivery of the Remediation Record, or within five working days of Konve IT confirming completion.

All fees
Exclusive of VAT. Invoices payable within 14 days.
How to get started

Three steps to a signed Statement of Work.

If you have already completed a Konve IT Tenant Assessment and Gap Analysis, contact Konve IT directly — the assessment findings can be used to scope and price the remediation without repeating Phase 1 in full.

01

Complete the onboarding form

Download and complete the Konve IT Client Onboarding Form. Captures your organisation details, contacts, and regulatory context.

02

Complete the service questionnaire

Download and complete the Microsoft 365 Tenancy Questionnaire, selecting the Remediation variant. Captures tenant details, approximate age, known issues, and regulatory obligations.

03

Review and sign the Statement of Work

Konve IT reviews your responses and issues a Statement of Work within two working days. On signature and receipt of the first instalment, Phase 1 commences.

Get started Back to Konve IT Or write to it@konvegroup.com
Services that naturally follow this engagement
Cyber Essentials

Cyber Essentials Full Programme

The remediated tenant is aligned to Cyber Essentials controls on completion. The Full Programme takes you from that baseline to a valid certificate — with the gap analysis work credited if within six months.

 Microsoft 365 Backup

Backup Setup and Configuration

Microsoft 365 does not back up your data. Deploying a third-party backup solution is a natural next step following tenant remediation.

 Email Security

Email Security Deployment

DMARC, DKIM, and SPF are remediated in this engagement. Advanced email security — AI-powered phishing detection, impersonation protection, and payment diversion controls — is the next layer.
Scroll to Top