Client Overview
The Harbour is a growing charity supporting vulnerable individuals and families.
As their Microsoft 365 grant licences approached renewal, they engaged AgencyTech to review their environment and strengthen security.
Their previous IT provider had left the Microsoft 365 tenant inconsistently configured, with gaps in security controls and user management processes.
The Challenge
Our initial review identified several concerns:
- Expiring Microsoft 365 grant licences with no structured transition plan
- Inconsistent Multi-Factor Authentication (MFA) coverage
- Administrative roles not fully secured to modern best practice
- Legacy user accounts still active
- Improperly offboarded staff retaining access
- Orphaned accounts increasing domain attack surface
- Microsoft Secure Score significantly below peer organisations
- For a charity handling sensitive client and safeguarding data, these gaps presented significant unnecessary risk.
Work Completed
Security & MFA Enforcement
In line with Microsoft Entra best practice guidance, AgencyTech moved The Harbour from partial enforcement to consistent, policy-driven security.
- Enforced MFA across all active users, reducing reliance on weaker authentication methods
- Secured all administrative accounts with strong authentication controls
- Implemented structured Conditional Access policies
- Enabled self-service password reset with dual verification requirements
- Ensured multiple authentication methods were registered for account recovery
Legacy Account Clean-Up & Risk Reduction
AgencyTech reduced the Harbour’s domain attack surface by addressing historical account and offboarding gaps.
- Identified and removed legacy and dormant user accounts
- Properly offboarded former staff while retaining required data for SLT
- Migrated user OneDrive data before account removal to prevent loss
- Removed unnecessary licensed users to reduce exposure and cost
- Centralised historic data into secure, controlled locations
Licensing Optimisation
AgencyTech aligned licensing to operational needs while maintaining non-profit compliance requirements.
- Moved SLT to Business Standard licences
- Assigned Business Basic licences to operational staff
- Ensured compliance with Microsoft’s 85% non-profit licence utilisation requirement
- Removed unnecessary premium licences
- Structured renewals to avoid unnecessary spend
Before vs After
| Area | Before | After |
|---|
| Secure Score | Below organisations of similar size | Increased by over 50% |
| MFA Coverage | Inconsistent enforcement | Fully enforced across users & admins |
| Admin Protection | Partially secured | All privileged roles protected |
| Offboarding | Legacy accounts remained active | Cleaned, controlled, and secured |
| Domain Risk | Dormant accounts increased attack surface | Reduced exposure and improved governance |
| Security Posture | Reactive | Structured and policy-driven |
The Results
- 56% improvement in Microsoft Secure Score
- Reduced risk of phishing and credential compromise
- Clear processes implemented for managing user lifecycle
- Admin role setup aligned to Cyber Essentials standard
Key Takeaways
The Harbour now operates within a properly governed Microsoft 365 environment, with:
- Reduced cyber risk
- Cleaner identity management
- Stronger admin protection
- Improved compliance alignment
- A scalable foundation for future growth
AgencyTech transformed an exposed and inconsistently managed tenant into a structured, secure, and defensible Microsoft 365 environment.
