Hardening a Microsoft 365 Environment

Over the course of Adam's time in this role he independently designed and deployed a layered security strategy covering identity, device compliance, mobile app protection, email security, and continuous tenant monitoring. Users were authenticating via SMS with no authenticator app in place, mobile devices had no data protection policies, and group membership changes in Entra went completely undetected. As part of the user account conversions to the cloud, Adam rolled out Microsoft Authenticator across all users in the organization, replacing SMS authentication in the process. Each project below represents a deliberate step toward closing those gaps and bringing the organization in line with modern security standards.

Conditional Access & MFA Enforcement

Configured and deployed Conditional Access policies through Entra ID to enforce MFA via Microsoft Authenticator as a broker, which had been rolled out across all accounts as part of the broader cloud migration. Policies were scoped to separate corporate and personal device flows — BYOD devices are required to comply with App Protection Policies to access company resources, while Windows devices must meet a compliance policy baseline enforced through Intune before access is granted. Device filters were used to ensure the correct protection policy applied to each device context without conflict.

Mobile Application Management (MAM) Architecture

Built a full MAM architecture to protect corporate data on personal iOS devices without requiring full device enrollment. Enrollment restrictions were configured to block personal devices from enrolling into Intune while allowing corporate devices to enroll via Apple Business Manager (ADE). Two-tiered App Protection Policies were deployed — Level 1 for managed corporate devices with relaxed controls, and Level 2 for BYOD devices enforcing strict data transfer restrictions and encryption. Assignment filters were used to differentiate policy enforcement based on device management state, ensuring only one APP policy applied per device context. App Configuration Policies were also deployed to reinforce app identity and ensure correct MAM policy assignment through Intune MAM UPN and OID keys.

Mimecast SSO via SAML 2.0

Configured Single Sign-On for Mimecast through Entra ID using SAML 2.0, setting up Mimecast as an Enterprise Application in the Azure portal and establishing the trust relationship between the identity provider and service provider. Prior to this, users were managing a separate set of Mimecast credentials entirely. After SSO was enabled, users authenticate to Mimecast through their Entra ID identity, eliminating credential sprawl, reducing the risk of weak or reused passwords on the email security platform, and removing IT overhead associated with Mimecast password resets.

Entra Group Change Monitoring

Built an automated monitoring solution using Power Automate that runs weekly to detect any changes to Entra ID groups — including additions, deletions, and modifications. The flow establishes a baseline snapshot of all groups on first run, then compares the current state against that baseline every Friday. Any detected changes are logged and an alert email is sent to IT summarizing exactly what changed. The baseline is then updated automatically to reflect the new state, ensuring the next comparison is always accurate. This gives the team visibility into group membership drift that could indicate unauthorized access changes or misconfiguration — something that previously went completely undetected.

Outcomes & Technologies

These initiatives collectively transformed the organization's security posture from a baseline of SMS-only MFA and no mobile data protection to a layered, identity-driven security model. Microsoft Authenticator replaced SMS across all accounts, BYOD devices are now protected through MAM without sacrificing user experience, Mimecast is secured through SSO eliminating a separate credential surface, and Entra group changes are now monitored continuously with automated alerting — closing a visibility gap that had existed since the tenant was created.

Technologies Used: Microsoft Entra ID • Conditional Access • Microsoft Authenticator • Microsoft Intune MAM • App Protection Policies • Apple Business Manager (ADE) • SAML 2.0 • Mimecast • Power Automate • SharePoint Online • Microsoft Graph

Phone

(516) 551-2522

Area of living

East Meadow, NY 11554
United States of America