Skip to main content

Cloud Security Review

What Does a Cloud Security Review Include?

Misconfigured M365, AWS, and Azure environments are the most common entry point we see in real incidents. Here is what a cloud security review covers, how long it takes, and what you get at the end.

Not sure if your M365 is secure? Take our free 2-minute health check →

What's included

The short answer

A cloud security review is an independent audit of how your cloud platforms are configured. It looks at your Microsoft 365 tenant, AWS account, or Azure subscription and identifies every misconfiguration, excessive permission, and data exposure risk before an attacker finds them.

Microsoft 365 configuration auditAWS and Azure security reviewIdentity and access management (who has what access)Privileged account and admin role reviewData exposure and sharing settings auditEmail security configuration (SPF, DKIM, DMARC)Licensing review (security features you're not using)CIS benchmark gap analysis

What you walk away with

The deliverables

At the end of the engagement you receive a complete documentation package. Your IT provider can work from it directly. You can also share it with a board, insurer, or prospective client as evidence of your cloud security posture.

Configuration Findings Report

A plain-English breakdown of every misconfiguration found across your cloud environment, ranked by severity. Written so a non-technical owner can understand what was found and what to do next.

Identity and Access Map

A full picture of who has access to what across your cloud environment. Admin roles, guest accounts, overprivileged users, and third-party app permissions all documented in one place.

Remediation Playbook

Step-by-step fix instructions for every finding. Structured so your IT provider can work through it directly without needing us to interpret it. Quick wins highlighted separately.

Walk-Through Call

We walk through every finding with your team and answer questions. It comes with every engagement, at no extra charge.

How it works

The review process, step by step

Every phase below is included as standard. Nothing is optional or charged separately.

  1. Scoping and Access Setup

    We agree which cloud platforms are in scope, define access requirements, and confirm testing boundaries before work begins. Read-only access is all we need. We make no changes to your environment during the review.

  2. Configuration Baseline

    We export the configuration from your M365 tenant, AWS account, or Azure subscription and compare every setting against current CIS benchmarks. That includes controls vendors enable by default and settings most administrators never revisit.

  3. Identity and Access Review

    We audit every user account, admin role, service principal, and third-party app permission in your environment. Guest accounts, inactive users, and over-privileged roles all show up here.

  4. Data Exposure Assessment

    We review sharing settings across SharePoint, OneDrive, S3, and blob storage to identify what data could be reached if credentials were compromised, and what is already accessible externally without them.

  5. Security Feature Review

    We check which security features your licences cover but your tenant does not use: Defender plans, conditional access policies, MFA enforcement, DLP rules, audit logging. You are likely already paying for controls you are not running.

  6. Reporting and Delivery

    You receive the peer-reviewed report, remediation playbook, walk-through call, and follow-up Q&A. An optional re-test confirms the critical fixes landed correctly.

Want to check the basics yourself first? Here are the 5 M365 settings to change today →

Why this matters now · Updated March 2026

M365 configurations go stale faster than most businesses realise

Microsoft continuously updates its security defaults, deprecates legacy authentication protocols, and rolls out new Defender controls. What was correctly configured six months ago may already be out of date. Most businesses discover this only after an incident.

We track these changes and keep our review methodology current. Our findings reflect what Microsoft actually enforces today, not a checklist that was accurate two years ago.

Latest from the blog

The Microsoft 365 Security Reset: What Australian SMEs Need to Change in March 2026

SharePoint CSP enforcement, legacy auth deprecation, and what to update in your tenant →

Pricing and timeline

What to expect

From $2,500

For a typical Australian SME (10–200 employees)

5–10 business days

Typical end-to-end delivery

The final cost depends on scope: the number of cloud platforms, tenant size, and the depth of identity and access management review required. Most SME engagements sit at the lower end of that range.

A single experienced reviewer owns the work from start to finish. There are no hand-offs between teams and nothing sits in a queue waiting for sign-off. That is why turnaround is faster than you would expect from a larger consultancy.

A cloud security review starts at $2,500. A single Business Email Compromise incident (the most common outcome of a compromised M365 account) costs Australian businesses an average of $50,000 in fraudulent transfers and recovery costs. Prevention is always cheaper.

Need a broader review?

Cyber Security Assessment

A cloud review covers your M365, Azure, and AWS configuration. A full cyber security assessment adds your internal network, endpoints, email security, and overall security controls. If you are unsure which fits your situation, start with a 15-minute call.

See what's included →

FAQ

Common questions

How long does a cloud security review take?

Most reviews complete within five to ten business days from kick-off to report delivery. The exact timeline depends on the number of cloud platforms in scope and the size of your tenant or account. We agree on a schedule before we begin.

Do you need admin access to our M365 or AWS environment?

We require read-only access. For M365 we use the Global Reader role; for AWS we use a read-only IAM policy. We document exactly what access was granted and revoke it after the review. We never make changes to your environment.

We already have an IT provider managing our M365. Why do we need a review?

Managed service providers set up M365 tenants to work, not to be secure. In most tenants we review, legacy authentication is still enabled, conditional access policies are not configured, and admin accounts have no MFA enforced. These are not edge cases. They are the default state of the average MSP-managed M365 tenancy. Your IT provider is not doing anything wrong by their brief. A security review is a different brief.

What cloud platforms do you review?

We cover Microsoft 365 (including Entra ID, Exchange Online, SharePoint, and Teams), Microsoft Azure, and Amazon Web Services. Google Workspace reviews are available on request. Most Australian SMEs use M365, so that is the most common scope.

Can we use the review report for cyber insurance applications?

Yes. Cloud security configuration is one of the areas insurers now specifically ask about. Our report documents your current posture, the gaps we found, and the remediation steps you are taking. Several clients have used it to support better premiums or satisfy underwriter requirements.

What happens after the review?

We write the remediation playbook so your IT provider can execute it directly. We answer follow-up questions at no extra charge. For clients who want ongoing configuration management and security governance, our vCISO service is where most go next.

Ready to find your cloud gaps?

Get a quote tailored to your environment. We respond within one business day.

Get a Free Quote →Book a Free 15-Min Call

No obligation · We respond within 1 business day