Zero Trust Assessment Service in Canada
Most Canadian organizations that have Microsoft 365 already have some security controls in place. The problem is rarely total absence — it is inconsistent enforcement. A Zero Trust Assessment gives you an objective answer to one question: how effectively are your security controls actually enforced, not just enabled? This service is designed for Canadian businesses that want a structured review of their Microsoft 365 security posture before committing to broader changes.
Most Canadian organizations that have Microsoft 365 already have some security controls in place. The problem is rarely total absence — it is inconsistent enforcement. A Zero Trust Assessment gives you an objective answer to one question: how effectively are your security controls actually enforced, not just enabled?
This zero trust assessment service helps organizations understand how well their Microsoft 365 environment supports modern security principles. The goal is to evaluate where trust is still too broad, where controls are missing, and where risk can be reduced without making daily work harder than necessary. Before investing in a broader implementation, you need to know exactly where you stand.
What Is on This Page
- The Problem With "We Have Microsoft 365, So We're Secure"
- What We Assess — Five Pillars, CISA ZTMM v2.0
- What You Receive
- How the Assessment Works
- The Gaps We Find Most Often
- Who This Is For
- After the Assessment
The Problem With "We Have Microsoft 365, So We're Secure"
Enabling Microsoft 365 security features is not the same as enforcing them. In most environments we assess, Conditional Access policies have broad exclusions, Defender for Endpoint is deployed but Attack Surface Reduction rules are in audit mode only, DLP policies are running in simulation, and guest access has never been reviewed. The licenses are paid for. The controls are not working.
That matters because weak access control, unmanaged devices, and unclear policy enforcement often create the conditions for avoidable incidents. A focused zero trust security review makes those weaknesses visible before they become larger operational or compliance problems.
What We Assess — Five Pillars, CISA ZTMM v2.0
Zero Trust is an architecture, not a product. Our Microsoft zero trust consulting approach evaluates your organization across the five pillars defined by the CISA Zero Trust Maturity Model (ZTMM) v2.0, using Microsoft Entra ID, Intune, Defender XDR, Microsoft Sentinel, and Purview as the primary control plane.
| Pillar | Key Controls Reviewed |
|---|---|
| Identity | Conditional Access, MFA coverage, Privileged Identity Management, legacy auth protocols, guest lifecycle |
| Devices | Intune compliance policies, Defender for Endpoint onboarding, ASR rules, macOS and mobile coverage |
| Applications | OAuth consent grants, Defender for Cloud Apps configuration, shadow IT inventory |
| Data | Purview sensitivity labels, DLP policy enforcement status, sharing settings, encryption |
| Network | Named Locations, Entra Private Access / Global Secure Access, VPN dependency |
Each pillar is rated against four ZTMM maturity levels — from Traditional (perimeter-based, implicit trust) through Initial and Advanced to Optimal (fully automated, continuously validated). You receive a current-state score and a target-state recommendation for each.
What You Receive
The engagement delivers four concrete outputs:
- Executive Summary — A 2–3 page business risk narrative with maturity ratings per pillar and the top 5 priority actions. Written for non-technical stakeholders and board reporting.
- Technical Assessment Report — Detailed findings per pillar with evidence, control gaps, and step-by-step remediation guidance linked to Microsoft documentation.
- Prioritized Remediation Backlog — Every finding ranked by risk severity (Critical / High / Medium / Low) with estimated implementation effort and licensing requirements. Ready to use as an actionable project plan.
- Live Readout Session (90 min) — Walkthrough of findings with your IT and security team, Q&A, and discussion of remediation sequencing.
How the Assessment Works
Delivery: Remote · 5–10 business days
Recommended licensing: Microsoft 365 Business Premium, E3 + EMS, or M365 E5
Discovery is entirely read-only. We collect configuration data via the Microsoft Graph API and Entra ID audit logs using a dedicated Global Reader account. No changes are made to your environment at any point. The engagement requires no downtime and runs over 5–10 business days depending on environment size.
We start with a kickoff discussion and scope review, then examine the tenant's current configuration and security priorities. From there, we analyze key control areas, document findings, and map them to practical recommendations. The final step is the live readout session where we walk through results and identify the most important next actions.
The Gaps We Find Most Often
Across Canadian mid-market organizations, these are the controls that are most frequently licensed but misconfigured:
- Legacy authentication protocols still enabled — SMTP AUTH and Basic Auth bypass MFA entirely. Any attacker with a stolen credential can authenticate without triggering a Conditional Access policy.
- Conditional Access policies with broad exclusions — Break-glass accounts and service accounts are often left unprotected.
- No Privileged Identity Management — Admins have standing privileged access instead of just-in-time elevation.
- Device compliance not enforced in Conditional Access — Devices are enrolled in Intune, but non-compliant devices can still access corporate data.
- DLP policies in simulation mode — Data is not actually protected; the policy only logs what would have been blocked.
- Sensitivity label adoption below 20% — Labels are published, but users are not applying them and auto-labeling is not configured.
A note on Secure Score: If you have already reviewed your Secure Score and want to know what it actually means in practice — this assessment answers that question. Secure Score measures whether controls are enabled. We measure whether they are enforced.
Who This Is For
This assessment is well suited for Canadian organizations that:
- Have Microsoft 365 Business Premium, E3 + EMS, or M365 E5 and want to know whether they are getting security value from their investment
- Need to demonstrate a documented security posture for cyber insurance, board reporting, or regulatory compliance (OSFI B-10, PIPEDA, provincial privacy laws)
- Have experienced a security incident and need a clear baseline before committing to remediation spend
- Are planning an Entra ID or Intune deployment and want to assess the current state first
After the Assessment
There is no obligation to purchase additional services. The remediation backlog is yours to execute internally or with any partner.
If you choose to work with us on implementation, the right next step depends on which gaps have the highest business and security impact. Common follow-on engagements include:
- Microsoft 365 Security — 90-Day Implementation — for a structured, end-to-end remediation programme
- Entra ID Deployment — Conditional Access policy redesign and identity governance
- Intune Suite Deployment — device compliance and endpoint security rollout
- Microsoft Sentinel SIEM Deployment — centralised detection and incident response
- Microsoft Purview DLP Configuration — moving from simulation to active enforcement
- Defender XDR Setup — unified threat protection across identity, endpoints, and cloud
- CIO as a Service — strategic oversight to align Zero Trust with broader IT investment decisions
For a phase-by-phase view of what a complete Zero Trust programme looks like over 12 months, see the 12-Month Zero Trust Roadmap for Microsoft 365.
IT Partner is a certified Microsoft Solutions Partner for Security — which means every Defender workload in this engagement is delivered by engineers with verified Microsoft expertise. Most Canadian organizations on Microsoft 365 E5 are carrying the cost of five security workloads while actively running one or two. Defender for Identity has never been connected to Active Directory. Defender for Cloud Apps holds no governed SaaS integrations. The unified incident queue in the Defender XDR portal sits empty — not because the environment is safe, but because no workload has been put into a production-ready state.
When an attack does land, the reconstruction is manual: the initial phishing lure in one dashboard, the account takeover it triggered in a second, the lateral movement your team missed in a third. Engaging a Microsoft Defender XDR consultant means that reconstruction never has to happen — each workload delivers clean signal, the correlation engine connects them automatically, and your team sees one incident instead of three queues of unrelated alerts. XDR setup in Canada runs 10–20 business days depending on the number of workloads in scope and the complexity of the existing environment.
Microsoft 365 does not protect sensitive data by default — SIN numbers, financial records, and client contracts move through email, SharePoint, and Teams with no inspection, no policy check, and no audit trail. IT Partner configures dlp microsoft purview policies that enforce data protection at the point of sharing, align controls with PIPEDA and Bill C-27, and work around legitimate business workflows rather than blocking them.
Deploy Microsoft Sentinel with a practical managed SIEM approach for Canadian businesses that need stronger visibility, better alerting, and faster incident response. We help you configure the platform, connect the right data sources, and build an operational monitoring foundation for Microsoft 365 and Azure environments.
Empower your business with unparalleled IT leadership—minus the high costs of a permanent Chief Information Officer! CIO as a Service (CIOaaS) is a revolutionary approach, giving you access to expert IT guidance tailored to your needs. Ideal for small and medium businesses, CIOaaS bridges the gap between technology and strategic objectives, ensuring growth and innovation.
We specialize in tailoring your tenant configurations to establish a robust security framework, prioritizing your Microsoft 365 security requirements. Our primary aim is to devise a bespoke strategy and framework for implementing core security features, ensuring a seamless migration of user data from Gmail and Google Drive to Microsoft 365.
We adopt a meticulous approach to comprehend your organization's unique needs and recommend the most suitable tools and solutions. With extensive experience serving organizations across various industries and sizes, we excel in crafting, implementing, and managing cybersecurity measures.
Our team of seasoned experts is poised to provide clear guidance on implementing endpoint detection and response solutions tailored precisely to your organization's size, business model, and regulatory environment.
