Conditional Access policy-as-code, JIT admin and SCIM joiner-mover-leaver for Microsoft 365 and Google Workspace — shipped as a fixed-scope product with DORA, NIS2 and ISO 27001 evidence per control.
The average EU SME runs Microsoft 365 or Google Workspace with default policies, opt-in MFA and a backlog of OAuth grants no one has reviewed. Compromise comes from sessions and consents — not passwords.
Permanent Global Admins, six-month-old service principals, OAuth grants nobody remembers consenting to. One phished session ends the company.
Engineers wire Notion, Linear, Zapier and a dozen AI tools to corporate identities. Nobody owns the inventory and offboarding leaks data on day one.
New hires wait three days for access. Leavers keep mailbox forwards live for weeks. Every audit finds it. Every quarter you promise to fix it.
One-off diagnostic. Walk away with the gap map.
Outcome
Board-ready remediation plan. No implementation lock-in.
Ship the controls. End the standing access.
Outcome
100% MFA enforcement, zero standing admin within 30 days of go-live.
We run access reviews. You ship product.
Outcome
Continuous control evidence, audit prep that writes itself.
Entra / Workspace policies in Terraform. MFA enforcement, geo-fencing, device compliance, risk-based session controls — all reviewable in pull requests.
Privileged Identity Management or Granted Auth — admins request a role, approval flows to Slack, access auto-expires. No more permanent Global Admins.
Hire-to-deprovision automation against your HRIS. Group-based entitlements, role catalogs, off-boarding playbooks signed by the engineer.
Intune / Google Endpoint policies: disk encryption, screen lock, OS minimums, no jailbreak. Wired into Conditional Access so non-compliant = no access.
Grafana over the unified audit log. MFA coverage, dormant accounts, admin session length, risky sign-ins, OAuth grant timeline — all in one pane.
Each policy mapped to DORA Art. 9, NIS2 Art. 21(2)(i) and ISO 27001 Annex A.5 access controls. Copy-paste into your next audit or self-assessment.
Article 9 — protection and prevention. Conditional Access, JIT admin and SCIM map directly to the ICT protection objectives.
Article 21(2)(i) — access control policies and asset management. Joiner-Mover-Leaver SOP and quarterly reviews documented.
Annex A.5/A.8 — access control, segregation of duties, privileged access. Mapped per policy for regulated operators.
Licences are the easy part — they sit unused in 90% of the SMEs we audit. The hard part is policy design, exception handling, joiner-mover-leaver automation, and quarterly access reviews that produce real evidence. We bring the templates, the runbooks and the Terraform — your existing licences finally start earning their keep.
The scan is read-only. You consent to a multi-tenant Microsoft Graph app (or a Google Workspace service account) with read-only scopes. We never receive password reset, write-policy or impersonation scopes. All evidence is stored encrypted in the EU (Hetzner Falkenstein) and destroyed on request.
Yes. We design two enforcement tiers: managed devices get full SSO + persistent sessions, BYOD and contractors get short-lived sessions plus app-protection policies. Sensitive scopes require a managed device or a hardware key regardless.
Those products collect evidence; they do not configure controls. We ship the controls (Conditional Access, PIM, SCIM, device compliance) as Terraform you own, then optionally feed Vanta/Drata with the audit log so their dashboards turn green.
Every Conditional Access policy, JIT approval flow and access review carries an explicit mapping to DORA Article 9, NIS2 Article 21(2)(i) and ISO 27001 Annex A.5/A.8. The implementation closes with an evidence pack formatted for your next supervisory review.
Nothing breaks. Every Conditional Access policy, SCIM mapping and dashboard lives in your Git repository. The Terraform state is yours. The runbooks are yours. We hand over a recorded engineer training session and the Slack channel stays open for 30 days.
One senior specialist. Zero hand-holding. Results in weeks.