Case Study — B2B SaaS

From Fragmented Admin Access
to a Controlled Microsoft 365
Environment.

How a 60-person B2B SaaS company rebuilt its identity baseline in six weeks — reducing Global Admin sprawl, enforcing phishing-resistant MFA, and passing the next enterprise security review without remediation.

6
weeks
end-to-end identity rebuild
60
people
on a single Microsoft 365 tenant
~80%
reduction
in standing Global Admin access
Industry B2B SaaS
Size ~60 employees
Platform Microsoft 365
Engagement 6 weeks
Services used Assessment · The Security Baseline™
Goal Controlled identity baseline + audit-ready evidence

The company

A B2B SaaS company of roughly 60 people, fully cloud-native, running its entire workplace on Microsoft 365. The company had grown quickly over three years — from a small founding team to a multi-department organisation — without ever pausing to formalise how IT and identity were managed.

The product team handled their own infrastructure. The operations team handled their own admin work. The CTO acted as the de facto IT owner whenever something broke. There was no dedicated IT or security function.

The challenge

Three years of rapid hiring had created a Microsoft 365 environment that no one fully owned. Admin access had been granted ad hoc — engineers got Global Admin to "fix things faster," contractors had been added to admin roles and never removed, and several shared admin accounts were in active use because they were "easier than dealing with role assignments."

MFA was enforced on user accounts but inconsistent on the admin and service accounts that mattered most. No one had run a formal access review since the company was 20 people.

"Who has access to what? When was the last access review? What's your privileged identity management approach?"

The issue surfaced when an enterprise prospect's security team requested a list of all Global Administrators, the date of the last access review, and the company's approach to privileged identity management. The honest answers would have killed the deal.

Why it mattered

They needed someone to fix it properly, not paper over it — and to leave behind a repeatable process the internal team could maintain.

Our approach

We did not start with tooling. We started with an inventory.

Phase 01 · Weeks 1–2
Inventory and design
We mapped every privileged role, every shared account, every service principal, and every conditional access policy in the tenant. We mapped which accounts had MFA enforced, which methods were registered, and which accounts had been inactive for more than 90 days. The inventory was the basis for everything that followed.
Phase 02 · Weeks 3–5
Implementation
Reduced admin counts to the minimum required. Replaced shared admin accounts with named privileged accounts. Enforced phishing-resistant MFA on all privileged roles. Configured just-in-time elevation so admin permissions were granted only when needed. Tightened conditional access policies around admin sign-ins.
Phase 03 · Week 6
Governance and handover
Documented joiner-mover-leaver workflows for privileged access. Established a quarterly access review cadence with named owners. Configured alerting on privileged role assignments, sensitive policy changes, and risky sign-ins. Handed over the runbook to the internal IT owner.

The outcome

Six weeks of focused work. Three things changed.

Privileged surface reduced by ~80% Standing Global Admin access dropped from double-digit count to a small handful of named, MFA-protected accounts using just-in-time elevation.
Shared admin accounts eliminated Every admin now has a dedicated, named privileged account separate from their daily user account. Audit trail is clean and attributable.
Phishing-resistant MFA on all privileged roles The single highest-impact control. Removes the most common path to full tenant compromise.
Quarterly access reviews established Documented cadence, named owners, repeatable process. Every framework that matters requires this.
Enterprise security review passed The next questionnaire was answered with confidence. Global Admin list, last access review date, and privileged-access approach all available on request.
Leadership got a defensible answer "Who has access to what?" now has a clear, documented response. The internal IT owner has a runbook they can maintain.

Key takeaways

Services used in this engagement

Diagnose, implement, maintain.

Is this your situation? A growing Microsoft 365 environment, too many people with too much access, and a security questionnaire on the way. We've done this before. The path is clear. Book a fit call →

Ready to do this?

Your security transformation
starts with one conversation.

Book a 30-minute fit call. No sales pitch. We'll tell you honestly where you stand, what it would take, and whether we're the right fit.

Book a Fit Call