Services Microsoft 365 & Modern Workplace Identity & Zero Trust Cybersecurity & AI Security Email Security & Deliverability Network, Wi-Fi & Infrastructure Backup, DR & Continuity Automation & IT Governance
Industries Approach About Us Contact Us
I am:
Core Expertise - Identity Security

Your accounts are the target.
Stolen passwords should not be enough.

Compromised credentials are the entry point for over 80% of breaches. We implement Zero Trust controls that stop attackers even after a password is stolen.

Microsoft Entra ID SpecialistsZero Trust ArchitectureNIS2 Framework Aligned
What it covers

Everything included in this service

Delivered by senior engineers. Scoped and priced upfront. No scope surprises.

🔐

Conditional Access Policies

Device compliance, location, sign-in risk, and user risk conditions enforced before access is granted. Designed for your environment, not copied from a template.

📱

Multi-Factor Authentication

Phishing-resistant MFA (FIDO2, Authenticator number matching) rolled out across all users. Legacy authentication blocked at tenant level.

👤

Entra ID & Identity Governance

User lifecycle, access reviews, privileged identity management, entitlement management, and governed guest access.

🔍

Identity Risk Detection

Entra ID Protection configured for compromised credentials, impossible travel, and anomalous sign-in - with automated remediation.

🏢

Privileged Access Management

Admin accounts separated from daily use. Just-in-time access via PIM. Emergency access accounts properly documented.

📋

Stale Account Remediation

Systematic identification and removal of ex-staff accounts, orphaned service accounts, and dormant guest access with ongoing hygiene process.

Platform overview
Identity & Zero Trust Security
A stolen password
should not be enough.
Zero Trust means every access request is verified — identity, device, location, and risk — before it is granted. Not once at login. Every time.
The Zero Trust access decision
Identity
Who
Identity
+
Device
What device
Compliance
+
Location
Where
Location
+
Risk
Risk signal
Risk Score
=
Decision
Grant or Block
⚠ What weak identity controls enable
Credential phishing Account takeover Lateral movement Dormant ex-staff access Admin privilege abuse Legacy auth bypass
The identity security stack
MFA
Multi-Factor Authentication
Entra ID + Authenticator
FIDO2 phishing-resistant keys Authenticator number matching Legacy authentication blocked MFA enforced — not just enabled Per-user and per-app policies
Conditional Access
Conditional Access
Entra ID Policy Engine
Device compliance required Named location enforcement Sign-in risk conditions Tested and validated — not Report-Only Session controls for sensitive apps
Identity Governance
Identity Governance
Entra ID Governance
User lifecycle management Access reviews (quarterly) Stale account remediation Guest & external access governed Entitlement management
PIM
Privileged Access Management
Entra PIM
Admin accounts separated Just-in-time access via PIM Approval workflow for elevation Emergency access accounts configured Admin activity audited
ID Protection
Identity Risk & Protection
Entra ID Protection
Compromised credential detection Impossible travel alerts Anomalous sign-in detection Automated remediation policies Feeds into Microsoft Sentinel (SIEM)
NIS2 Article 21
We implement the MFA, access control, and privileged access management controls mandated by NIS2. All controls documented for supervisory authority review.
ISO 27001 Alignment
Identity and access management controls configured to align with ISO 27001 Annex A requirements. Evidence pack available for audit and tender submissions.
Cyber Insurance
MFA enforcement, CA policy documentation, and stale account remediation are the identity controls most commonly required by cyber insurance underwriters.
A stolen password alone should never be enough to access your systems.
Tailored to your role

What this means for you

Select your role to see how this service maps to your specific situation.

A password is no longer a sufficient credential

The most common attack pattern against SMEs is simple: an employee receives a phishing email, enters their credentials on a convincing fake login page, and the attacker has everything they need. Without Conditional Access enforcing device compliance, MFA, and sign-in risk conditions, a stolen password is all it takes. With Zero Trust identity controls properly configured, it is not enough.

MFA is enabled but not enforced - users can still authenticate without it
Conditional Access policies exist in the portal but have never been tested or validated
No process exists for removing access when a staff member or contractor leaves
Guest and external user accounts from old projects remain active in the tenant
Discuss this with an engineer →

By the numbers

Common
Environments with CA policies in Report-Only or heavily excluded state
Frequent
Environments with former employee accounts still active at first review
80%+
Of data breaches involve compromised or stolen credentials (Verizon DBIR)

You are responsible when an account gets compromised - make sure the controls work

The gap between Conditional Access being enabled and Conditional Access being enforced is where almost every identity-based breach happens. Policies in Report-Only mode generate alerts but block nothing. Policies with broad exclusions for legacy clients leave the door open. Policies that were configured once and never reviewed may no longer reflect your environment. We audit every policy and fix every gap.

CA policies show as Enabled but have never been tested - you do not know what they actually block
Legacy authentication protocols are still active, allowing MFA bypass via older clients
No formal process for offboarding - access left behind when people leave
Admin accounts are used for daily tasks rather than being separated and privileged
Discuss this with an engineer →

By the numbers

Common
CA policies found in ineffective state in a first identity audit
4 avg
Former employee or contractor accounts found active per environment
15 min
Maximum response time for critical identity incidents under a 4DS managed service

The average ransomware incident begins with one compromised account

Ransomware operators do not typically exploit technical vulnerabilities in software. They steal credentials through phishing, buy them from breach databases, or use credential stuffing. Once they have a valid username and password, they log in. If Conditional Access is properly enforced, a stolen password is not enough. If it is not enforced, one phishing email is the beginning of an incident that costs tens of thousands of euros to remediate.

You are not certain MFA is enforced for every user in the organisation
Your cyber insurer is asking about access controls and you are not confident you can answer
You have no visibility into which accounts have administrative privileges to your business systems
A competitor or peer organisation has recently suffered an account compromise incident
Discuss this with an engineer →

By the numbers

1 hour
Typical time for full emergency access lockdown under a 4DS incident response
100%
Of 4DS-managed environments have documented, tested Conditional Access policy baselines

NIS2 and public sector frameworks require documented, enforced access controls

NIS2 Directive Article 21 requires organisations in scope to implement multi-factor authentication, access control policies, and privileged access management as baseline security measures. Public sector ICT tenders increasingly require documented evidence of these controls - not simply that MFA is enabled, but that it is enforced, tested, and reviewed periodically. We implement the controls and produce the documentation.

No documented Conditional Access policy baseline to include in a submission
MFA enabled but not enforced - cannot certify compliance with NIS2 access control requirements
No periodic access review process or evidence of stale account remediation
Privileged access not formally managed, documented, or subject to just-in-time controls
Discuss this with an engineer →

By the numbers

NIS2
We implement the MFA, access control, and PAM requirements of NIS2 Article 21
ISO 27001
Controls configured to ISO 27001 alignment — evidence available for submissions
48 hrs
Typical turnaround for identity governance evidence pack production
What a first review typically finds

The gaps we find in almost every environment

These are not edge cases. They are the standard state of an SME environment without an independent review.

Common

CA policies that block nothing

Report-Only mode or so many exclusions the policies are effectively disabled. Looks configured on paper - prevents nothing.

Frequent

Ex-staff accounts still active

Average of 4 former employee accounts found per environment. Some had been gone for over 12 months with live credentials.

80%+

Of breaches involve stolen credentials

Conditional Access with enforced MFA is the single most effective control against credential-based attacks.

How we deliver it

The 4DS delivery process

Four stages. No handovers to junior staff mid-project. No scope surprises.

STEP 01

Identity Audit

Every user, admin, guest, and service account reviewed. Stale and orphaned accounts identified. Admin role assignments documented.

STEP 02

Policy Design

Conditional Access policies designed for your environment and risk tolerance with a staged rollout plan to avoid disruption.

STEP 03

MFA & Zero Trust Rollout

Phishing-resistant MFA deployed. Legacy authentication blocked. Device compliance and sign-in risk conditions enforced.

STEP 04

Ongoing Identity Hygiene

Monthly access review, quarterly stale account audit, continuous Entra ID Protection monitoring with automated risk response.

Get in touch

Get in touch

Tell us about your current identity setup and what you are concerned about. No commitment required.

  • Full identity audit — every account, admin role, and CA policy reviewed
  • Conditional Access tested and validated, not just enabled on paper
  • Scoped and priced upfront — clear costs before any commitment

Get in touch

Tell us about your current identity setup and what you are concerned about.

No commitment required.

Enquiry received

No commitment is required at this stage.